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Description 

The present invention relates to controlling the 
use of cryptographic keys via generating station 
established control values. It is noted that generat- 
ing station may also be a using station. 

Cryptography is the only known practical 
means for protecting information transmitted 
through a large communications network, be it tele- 
phone line, microwave, or satellite. A detailed dis- 
cussion of how cryptography can be used to 
achieve communications security is provided in the 
book by Carl H. Meyer and and Stephen M. 
Matyas eptitled Cryptography: A New Dimension in 
Computer Data Security , John Wiley & Sons 
(1982). Cryptography can also be used to achieve 
file security, and a protocol is developed in the 
Meyer and Matyas book for the encryption of data 
stored in removable media. Other subjects dis- 
cussed in the book are enhanced authentication 
protocols, including personal verification, message 
authentication, and digital signatures. These sub- 
jects are of particular interest to those concerned 
with electronic funds transfer and credit card ap- 
plications within the banking and finance industry, 
or any other area where the originator, timeliness, 
contents, and intended receiver of a message must 
be verified. 

In the prior art, several references respectively 
illustrate protocols for distributing cryptographic 
keys among cryptographically communicating 
nodes. Further, they discuss authentication as a 
process independent of the establishment of ses- 
sion keys. These references include U.S. Patent 
No. 4,227,253 to Ehrsam et al. entitled 
"Cryptographic Communication Security for Mul- 
tiple Domain Networks" issued October 7, 1980, 
and U.S. Patent No. 4,218,738 to Matyas et al. 
entitled "Method for Authenticating the Identity of a 
User of an Information System" issued August 19. 
1980. The Matyas et al. patent involves a node 
sending a pattern to a terminal requiring the termi- 
nal to modify the pattern and remit its modification 
back to the host to permit a comparison match. 

Ehrsam et al., U.S. Patent No. 4,227,253. de- 
scribe a communication security system providing 
for the establishment of a session key and the 
concept of cross-domain keys. The Ehrsham et al. 
patent typifies a mechanism, i.e., the use of cross- 
domain keys, used for exchanging session key 
information between nodes on the one hand the 
protecting the secrecy of the node master keys on 
the other hand. More specifically, Ehrsam et al. 
describe a cryptographic facility at a host computer 
which, among other things, has a master key KMO 
with first and second variants of the master key, 
denoted KM1 and KM2, and cryptographic oper- 
ations in support of cryptographic applications and 



key management, denoted ECPH, DCPH, RFMK. 
and RTMK. Variants of the master key are obtained 
by inverting designated bits in the master key to 
produce different keys, which is just equivalent to 

5 Exclusive-ORing predetermined mask values with 
the master key to produce the variant master keys. 
The neumonics ECPH, DCPH, RFMK, and RTMK 
represent the cryptographic operations for Encipher 
Data, Decipher Data. Reencipher From Master Key, 

70 and Reencipher To Master Key. A precise defini- 
tion of these cryptographic operations is unimpor- 
tant to the present disclosure; however, the method 
is such that keys encrypted under KMO can be 
used beneficially with the ECPH and DCPH func- 

75 tions, keys encrypted under KM1 can be used with 
the RFMK function, and keys encrypted under KM2 
can be used with the RTMK function, but not vice 
versa. If V0, V1 and V2 denote the mask values 
which when Exclusive-ORed with KM produce 

20 KMO, KM1 and KM2, respectively, then there is an 
implicit control by the mask values of which en- 
cryptographic keys may be beneficially used by 
which of these cryptographic functions. Although 
Ehrsam et al. uses variants to control the use of 

25 cryptographic keys, by coupling the variants to the 
cryptographic operations, there is a one-to-one 
equivalence between the cryptographic operations 
and the prescribed variants of the key parameters 
allowed with each cryptographic operation. The Eh- 

30 rsam et al. architecture does not allow different 
combinations of variants of keys to be used with 
each cryptographic function. Thus, for example, if 
ECPH and DCPH are supported and it is desired to 
implement data keys with properties of Encipher 

35 Only, Decipher Only, and Encipher/Decipher using 
variants V1 , V2 and V3, there is no way to assign 
these variants to the ECPH and DCPH operations 
to implement the desired data key properties, i.e., 
there are not enough variants defined for these 

40 operations to accomplish the purpose. In effect, to 
design such a system requires an ECPH1 which 
operates with V1, an ECPH2 which operates with 
V3, a DCPH1 which operates with V2, and a 
DCPH2 which operates with V4. Therefore, the use 

45 of variants to control the use of a cryptographic key 
in a sophisticated architecture would require the 
function set to be expanded, and this expansion in 
the function set has disadvantages the most impor- 
tant of which are the increase of system complexity 

so and cost. 

U.S. Patent No. 4,386,233 to Smid et al. en- 
titled "Cryptographic Key Notarization Methods and 
Apparatus" issued May 31, 1983, describes a tech- 
nique of notarizing cryptographic keys for a cryp- 

55 tographic function by encrypting the keys with the 
cryptographic function using a notarizing crypto- 
graphic key derived from identifier designations 
associated with the encryptor and intended decryp- 



2 



3 



EP 0 292 790 B1 



4 



tor, respectively, and an interchange key which is 
accessible only to authorized users of the cryp- 
tographic function. In other words, Smid et al. con- 
trol who can use a key but not how the key can be 
used. Smid et al's notarizing key is derived by 
concatenating the binary equivalent of the encryp- 
tor's identifier designation with the binary equiv- 
alent of the decryptor's identifier designation as an 
ordered pair and logically combining in an 
Exclusive-OR operation the concatenated result 
with the interchange key. 

U.S. Patent No. 4,503,287 to Morris et al. en- 
titled "Two-Tiered Communication Security Em- 
ploying Asymmetric Session Keys" issued March 
5, 1985, describes a technique for ensuring com- 
munications security between a host computer and 
another remote computer or terminal by means of 
a two-tired cryptographic communications security 
device and procedure. The Morris et al. technique 
employs two session keys, one which is encrypted 
under a master key and transmitted from a remote 
facility to the host where it is stored, and one which 
is generated at the host, encrypted under the mas- 
ter key and transmitted to the remote facility where 
it is used as a session decryptor key. 

Thus, while the prior art provides various pro- 
tocols for distributing cryptographic keys among 
cryptographically communicating nodes and even 
provides a way of controlling who may use a cryp- 
tographic key at a particular node, there has not 
been a practical and effective solution to the prob- 
lem of how to control the use of a cryptographic 
key at a node, particularly in a sophisticated sys- 
tem. Frequently, different types of keys must be 
distributed to certain system nodes. 

The present invention provides a method of 
controlling the use of securely transmitted informa- 
tion in a network of stations in which each poten- 
tially cooperating station includes a cryptographic 
facility which securely stores a master key and in 
which, for each transmission between a pair of 
stations, a cryptographic key result is provided for 
each station of the pair by a generating station 
which is either one of the pair or a station external 
to the pair under a cryptographic protocol common 
to the networks, the cryptographic key results for 
the transmission having a random component no- 
tionally particular to the transmission, a master key 
variant component either particular to the stations 
individually or as a pair, characterised in that in 
response to a generating command invoked in the 
generating station for establishing a controlled use 
secure transmission between a designated pair of 
stations, the generating station generates the cryp- 
tographic key result for each designated station, 
accesses the control value common to the system 
for the permitted operation for each of the stations 
for the particular transmission, combined the con- 



trol value with the common key result or each 
individual key result and causes the appropriate 
combined key result to be established in each 
station of the pair for the transmission, and wherein 

s the cryptographic facility in each station is ar- 
ranged, when an operating command is invoked to 
perform a designated operation with respect to 
such securely transmitted information, to automati- 
cally abort such operation unless it matches the 

w control value. 

As disclosed herein after, cryptographic tech- 
niques according to the present invention are prac- 
ticed in a communications network having a plural- 
ity of stations, each of which has a cryptographic 

75 facility which performs cryptographic operations in 
support of the network encryption function. Such a 
network can be, for example, an electronic funds 
transfer (EFT) or point of sale (POS) network and, 
in any case, would include at least one generating 

20 station and at least two using stations. The cryp- 
tographic facility at each station in the network has 
a Key Generation Function (KGF) and a Key Usage 
Function (KUF). Each key generated by a KGF has 
an associated control value C which prescribes 

25 how the key may be used, and the KUF provides a 
key authorization function to ensure that a request- 
ed usage of a key complies with the control value 
C. 

Two methods may be employed to implement 

30 the technique whereby a generating station in a 
communications network controls the use of a 
cryptographic key. In the first method, each key 
and control value are authenticated via a special 
authentication code before use. In the second 

35 method, the key and the control value are coupled 
during key generation such that the key is recov- 
ered only if the correct control value is specified. 

In addition to controlling the use of a cryp- 
tographic key, the generating station control which 

40 generating stations may use a generated and dis- 
tributed cryptographic key. Two methods are em- 
ployed to additionally control who may use a cryp- 
tographic key. In the first method, each using sta- 
tion has a unique secret transport key shared with 

45 a generating station, which the generating station 
uses to distribute generated data keys to the using 
stations. Keys are generated by the generating 
station in such a way that they can be recovered or 
regenerated only by the designated using stations 

so possessing the correct, designated, secret trans- 
port keys. In the second method, each using sta- 
tion has a unique nonsecret value associated with it 
and each pair of using stations share a common, 
secret transport key with each other and also with 

55 the generating station. Keys are generated by the 
generating station such that they are recovered or 
regenerated only by the designated using stations 
possessing the correct, designated, secret trans- 
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port key. However, since the transport key is 
shared among two using stations, further cryp- 
tographic separation is achieved by using the men- 
tioned public values associated with each using 
station. Thus, the key generation and recovery pro- 
cedure is such that the keys distributed to each 
using station can be recovered or regenerated only 
by the appropriate using stations possessing the 
correct designated, public values. In effect, the 
transport key ensures that keys prepared for using 
station i and j cannot be recovered or regenerated 
at some other using station k, whereas the public 
values ensure that a key prepared for using station 
i cannot be recovered or regenerated at using 
station j, or vice versa. 

In summary, four specific cases are described. 
In the first case, key authentication is used and 
cryptographic separation is achieved via different, 
secret transport keys. In the second case, key 
authentication is used and cryptographic separation 
is achieved via different public values associated 
with each using station and via a common, secret 
transport key. In the third case, no authentication 
key is used and cryptographic separation is 
achieved via different, secret transport keys. In the 
fourth case, no key authentication is used and 
cryptographic separation is achieved via different 
public values associated with each using station 
and via a common, secret transport key. 

A control value specifying the usage of a key 
can be implemented with integrity in three ways: 

1 . Via authentication codes. The key and control 
value are distributed separately but are coupled 
via the authentication code. 

2. Via a key distribution function that combines 
the key with the control value and a secret 
transport key. Separation is achieved by using 
different secret transport keys for different using 
stations. 

3. Via a key distribution function that combines 
the key with the control value, a unique public 
value associated with the receiving station, and 
a secret transport key. The transport key is the 
same for each receiving using station. Separa- 
tion is achieved via the public value, which is 
different for each different receiving using sta- 
tion. 

The present invention is based on the recogni- 
tion that additional security benefits could be 
achieved via a key distribution method where each 
key had an associated control value that governed 
how the key would be used by a using station. The 
way is provided to couple the key and the control 
value in a cryptographically secure way to provide 
a convenient, easy and flexible method of im- 
plementing the concept so that keys can be gen- 
erated at a generating station and distributed to two 
or more using stations where they can be used in 



cryptographic operations for cryptographic pro- 
cessing purposes. 

An authentication code can be calculated using 
a secret key which is part of the data being authen- 

5 ticated, whereas in part of the prior art, the mes- 
sage authentication key and the data being authen- 
ticated are decoupled. With message authentica- 
tion, the secret key is used repeatedly to authen- 
ticate messages sent from one part to another who 

w share the authentication key, whereas the secret 
key, as used in this invention, is used just once to 
authenticate the key itself, the control value, and 
possible other nonsecret data associated with the 
key. 

75 Ehrsam et al, cited above, provides crypto- 

graphic separation via two different cross domain 
keys (or transport keys) for the purpose of distrib- 
uting a secret dynamically generated key to two 
using stations. As mentioned above, the variants 

20 employed by Ehrsam et al. provide an implicit 
control of the beneficial uses to which cryptograph- 
ic keys may be applied; however, the use of vari- 
ants severely limit the functions which may be 
supported. The method according to the present 

25 invention of using control values to control the use 
of cryptographic keys avoids the problems asso- 
ciated with variants since each bit in the control 
value can be associated with a different crypto- 
graphic operation. Thus, if there are 32 crypto- 

30 graphic operations, then a control value of 32 bits 
or less will cover all possible combinations, where- 
as with variants this would require potentially 2 s2 
different cryptographic operations to allow for all 
combinations. The invention achieves an obvious 

35 economy of scale with the control value over the 
Ehrsam et al. method based on variants. 

Combining a key and a key variant mask with a 
secret transport key is a concept described, for 
example, in copending U.S. Application Serial No. 

40 722,091 filed April 11, 1985, by Walter Ernst Bass 
et al. for "A Method for Establishing User Authen- 
tication with Composite Session Keys Among Cryp- 
tographically Communicating Nodes". In that ap- 
plication, the variant of a single cross domain key 

45 is used to achieve unidirectional ity between two 
receiving stations, so that reply attacks are thwart- 
ed. The unidirectionality feature precludes attacks 
where certain quantities sent from one point to 
another as part of establishing a session key can- 
so not beneficially be replayed back to the originating 
point. The variant mask associated with the cross 
domain key, in this case, is not a control value as 
used in this invention; i.e., it does not specify the 
usage of the key. 

55 The use of a key distribution function as de- 

scribed in the patent to Smid et al., cited above, 
describes combining a key to be distributed with 
the IDs of the sending and receiving nodes and 
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with a secret interchange key. This controls who 
can use a cryptographic key but does not control 
how the cryptographic key is to be used. The 
control value which is used in the present inven- 
tion, while similar to the concatenation of the send- 5 
ing and receiving IDs as used by Smid et al, is for 
a wholly different purpose. 

The present invention will be described further 
by way of example with reference to embodiments 
thereof as illustrated in the accompanying draw- io 
ings, in which: 

Figure 1 is a block diagram illustrating a com- 
munication system consisting of a multiplicity of 
communicating stations connected via a PTT 
(Post, Telephone and Telegraph) interconnect ;s 
network; 

Figure 2 is a block diagram showing a cryp- 
tographic facility capable of 
encryption/decryption via the Data Encryption 
Algorithm (DEA); 20 
Figure 3 is a block diagram showing three sta- 
tions in the network configuration of Figure 1 
including a generating station and two using 
stations; 

Figure 4 is a block diagram illustrating the func- 25 
tional relationship between function fi and gi ; 
Figure 5 is a block diagram of the function f 2 ; 
Figure 6 is a block diagram showing the func- 
tional relationship between the functions fa and 
g3; 30 
Figure 7 is a block diagram of the function U; 
Figure 8 is a block diagram showing the func- 
tional relationship between the functions fs and 
95; 

Figure 9 is a block diagram showing the func- 35 
tional relationship between the functions h and 

ge; 

Figure 10 is a block diagram of a first embodi- 
ment of a generating station wherein a first and 
second form of a key K are generated via a first 40 
function fi and a first and second key authen- 
tication code are generated via a second func- 
tion f2; 

Figure 11 is a block diagram showing one ex- 
ample of an embodiment for function f 1 ; 45 
Figure 12 is a block diagram showing one ex- 
ample of an embodiment for function f2; 
Figure 13 is a block diagram showing a second 
embodiment of a generating station wherein a 
first and second form of a key K are generated so 
via a third function f3 and a first and second key 
authentication code are generated via a fourth 
function ga related to function fa and a fourth 
function f+; 

Figure 14 is a block diagram of one example of 55 
an embodiment of the functions fa and ga; 
Figure 15 is a block diagram of another example 
of an embodiment of the functions fa and g3; 



Figure 16 is a block diagram of one example of 
an embodiment of the function U; 
Figure 17 is a block diagram of another example 
of an embodiment of the function U ; 
Figure 18 is a block diagram showing a first 
embodiment of a using station related to the first 
embodiment of a generating station shown in 
Figure 10 wherein the received key K is recov- 
ered via a function gi, which is related to the 
function fi, and wherein the received key au- 
thentication code is authenticated via the func- 
tion k: 

Figure 19 is a block diagram showing a second 
embodiment of a using station related to the 
second embodiment of the generating station 
shown in Figure 13 wherein the received key K 
is recovered via a function g 3 , which is related 
to function fa, and wherein the received key 
authentication code is authenticated via the 
function U; 

Figure 20 is a block diagram of a third embodi- 
ment of a generating station wherein a first and 
second form of a key K are generated via a fifth 
function fs ; 

Figure 21 is a block diagram of a fourth embodi- 
ment of a generating station wherein a first and 
second form of a key K are generated via a 
sixth function f6 ; 

Figure 22 is a block diagram of an example of 
an embodiment of function fs and a related 
function g 5 ; 

Figure 23 is a block diagram of an example of 
an embodiment of function fs and a related 
function gs; 

Figure 24 is a block diagram of a third embodi- 
ment of a using station related to the third 
embodiment of the generating station shown in 
Figure 20 wherein the received key K is recov- 
ered via function gs , which is related to function 
fs; 

Figure 25 is a block diagram of a fourth embodi- 
ment of a using station related to the fourth 
embodiment of the generating station shown in 
Figure 21 wherein the received key K is recov- 
ered via function gs » which is related to function 
h ; and 

Figure 26 is a graphical representation of one 
possible control vector which may be used. 
Referring now to the drawings, and more par- 
ticularly to Figure 1 f a network is shown in which 
the stations (computers controllers, terminals, and 
the like) are connected via a PTT (Post, Telephone 
and Telegraph) interconnect network. Each such 
station has an encryption/decryption feature ca- 
pable of end-to-end encryption with any other sta- 
tion in the network. The network referred to here 
might be an electronic funds transfer (EFT) or point 
of sales (POS) network. 
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Each such station has a cryptographic facility 
which performs cryptographic operations in support 
of the network encryption function, such that any 
station with an implemented cryptographic facility 
is capable of end-to-end encryption with any other 
station in the network. The network message for- 
mats and protocols necessary to support such 
cryptographic communication, including those mes- 
sages necessary to support cryptographic keys 
and key management functions are not shown here 
as such messages and protocols are known in the 
prior art. 

Referring now to Figure 2, there is shown a 
cryptographic facility 10 containing a chip imple- 
mentation of the Data Encryption Algorithm (DEA) 
11, a hardware random number generator 12, a 
microprocessor 13, a battery 14, a battery-backed 
random access memory (RAM) 15 for storage of 
keys and other cryptographic variables, and a 
memory 16 for storage of system microcode and 
program code. Keys and cryptographic variables 
are loaded into the cryptographic facility via a key 
entry interface 17 and routed to memory 15 via a 
secure direct path 18. The cryptographic facility 
can be accessed logically only through inviolate 
processor interface 19, which is secure against 
intrusion, circumvention and deception, and which 
permits processing requests 20 and data inputs 21 
to be presented to the cryptographic facility and 
transformed output 22 to be received from the 
cryptographic facility. 

The cryptographic facility at each station in the 
network configuration of Figure 1 has a Key Gen- 
eration Function (KGF) and a Key Usage Function 
(KUF). Each key generated by a KGF has an 
associated control value C which prescribes how 
the key may be used; e.g., encrypt only, decrypt 
only, generation of message authentication codes, 
verification of message authentication codes, etc. 
The KUF provides a key authorization function to 
ensure that a requested usage of a key complies 
with the control value C, and it also serves as an 
authentication function to ensure that a requested 
key and control value are valid before allowing the 
key to be used. Thus, the KUF is the logical 
component of the cryptographic facility that en- 
forces how keys are used at each using station, 
and in this sense, the KUFs collectively enforce the 
overall network key usage as dictated by the gen- 
erating station. 

Figure 3 depicts three stations in the network 
configuration of Figure 1 comprising a generating 
station and two separate using stations. Each sta- 
tion has a KGF and a KUF, although only the 
designated generating station has need to exercise 
the KGF and only the designated using stations 
have need to exercise the KUF. Thus, it will be 
appreciated that any station in the network configu- 



ration of Figure 1 can act as a generating station 
for any other stations acting as using stations, and 
that a generating station may also act as one of the 
intended using stations. Moreover, it will be appre- 
5 ciated that this general arrangement can be ex- 
tended to cover the case where a generating sta- 
tion generates a key in several forms for distribu- 
tion to several using stations, so that the invention 
is not limited to only two using stations. All of these 

to combinations and variations are not specifically 
shown, but it should be evident from the descrip- 
tion provided. 

Referring again to Figure 3, there is shown a 
key generated at the generating station via its KGF 

rs in a first form with a first control value C and in a 
second form with a second control value C, which 
may be the same or different from the first control 
value C. The generated first form of the key and 
the first control value are transmitted to a first using 

20 station and the generated second form of the key 
and the second control value are transmitted to a 
second using station. Thus, the KUF at the first 
using station permits the received first form of the 
key to be used only in the manner prescribed by 

25 the received first control value and the KUF at the 
second using station permits the received second 
form of the key to be used only in the manner 
prescribed by the received second control value, 
which may be the same or different from the first 

30 control value received by the first using station. 

It will be appreciated that each form of the key 
(first form, second form, etc.) may consist of one or 
more parameter values representing the informa- 
tion or data necessary to recover, regenerate or 

35 reconstitute a previously generated key, and that 
this process of recovery or regeneration of the key, 
although not specifically shown in Figure 3, always 
requires the use of a secret key available to, and 
known only to the receiving using station. These 

40 additional details are described hereinbelow. It will 
be appreciated still further that additional cryp- 
tographic values, beyond those defined as the form 
of the key and the control value, such as using 
station unique public value and key authentication 

45 code, can be used in addition though such are not 
all detailed herein. The purpose and use of each of 
these cryptographic quantities depends on the par- 
ticular environment and application being consid- 
ered. The main variations are treated more fully 

so below. 

The subject invention may be practiced using 
two different methods whereby a generating station 
can control how a cryptographic key may be used 
at the using station. The first method, which is 

55 illustrated by Figures 10 through 19, requires each 
key and control value, and possibly other key- 
related data, to be authenticated via a special au- 
thentication code before the received, recovered 
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key may be used. The second method, which is 
illustrated by Figures 20-25, couples the key and 
control value during the key generation process 
such that the key is recovered correctly at a using 
station only if the correct control value has first 5 
been specified. Specification of an incorrect control 
value, in effect, causes a random, unknown key K 
to be recovered. Thus, if different, incorrect values 
of Ci and Cj are specified at using station i and j, 
where there may even be collusion between i and j, w 
the keys recovered by using stations i and j will be 
spurious (i.e., equal only by pure chance), and 
hence, no communication between using stations i 
and j with such incorrectly recovered keys is possi- 
ble. By exchanging a short verification message 75 
which uses the recovered keys, using stations i and 
j can therefore verify that the key has been cor- 
rectly recovered before using the key. 

Two different methods can be used whereby a 
generating station can control the using station or 20 
stations that may use a distributed cryptographic 
key. Both methods ensure that a first using station i 
cannot use or beneficially misuse a key which has 
been designated for use at another using station j. 
In the first method, which is illustrated by Figures 25 
10, 11. 12, 18, 20. 22, and 24, cryptographic sepa- 
ration among the keys designated for use at dif- 
ferent using stations is accomplished by using dif- 
ferent secret transport keys. Each using station 
shares a different, secret transport key (KR) with 30 
each generating station. Thus, at generating station 
a, transport key KRa.i is used for distribution of key 
K to using station i, whereas transport key KRaj is 
used for distribution of key K to using station j. 
Under the key distribution procedure, a distributed 35 
key K and the transport key are coupled cryp- 
tographically such that key K is recovered correctly 
within the cryptographic facility at using station 
only if the proper transport key KRaj has first been 
initialized. Likewise, key K is recovered correctly aq 
within the cryptographic facility at using station j 
only if the proper transport key KRaj has first been 
initialized. In the second method, which is illus- 
trated by Figures 13, 14, 15, 16, 17. 19, 21, 23, and 
25, cryptographic separation among the keys des- 45 
ignated for use at different using stations is accom- 
plished by assigning and associating a unique, 
nonsecret value with each using station which is 
initialized in the cryptographic facility of each re- 
spective using station and by sharing a unique, so 
secret transport key among the respective receiv- 
ing using stations and the generating station. Thus, 
at generating station a, transport key KRij is used 
for distribution of key K to using stations i and j. 
The nonsecret or public value associated with each 55 
using station is designated PV, so that values PVi 
and PVj would be used for distribution of key K to 
using stations i and j, respectively. Under the key 



distribution procedure, a distributed key K, the pub- 
lic value PV, and the transport KR are coupled 
cryptographically such that key K is recovered cor- 
rectly within the cryptographic facility at using sta- 
tion i only if the proper transport key KRij and the 
proper public value PVi have first been initialized. 
Likewise, key K is recovered correctly within the 
cryptographic facility at using station j only if the 
proper transport key KRij and the proper public 
value PVj have first been initialized. 

From the description above, those skilled in the 
art will appreciate that Figures 10, 11, 12, and 18 
cover the case where key authentication is used 
and cryptographic separation is achieved via dif- 
ferent transport keys; Figures 20, 22 and 24 cover 
the case where key authentication is used and 
cryptographic separation is achieved via different 
public values associated with each using station 
and a common, secret transport key; Figures 13, 
14, 15, 16, 17, and 19 cover the case where no key 
authentication is used and cryptographic separation 
is achieved via different transport keys; and Fig- 
ures 21 , 23 and 25 cover the case where no key 
authentication is used and cryptographic separation 
is achieved via different public values associated 
with each using station in conjunction with a com- 
mon, secret transport key at each using station. 

DEFINITION 

Several different cryptographic functions are 
defined. These are designated as functions fi, f2, 
f3. f4. fs. fe, gi . g3, Qs t and ge. These functions are 
used within the cryptographic facility of the gen- 
erating and using stations for the purposes of key 
generation, key recovery, and key authentication. A 
precise definition of each function is given below: 
1 . Referring to Figure 4, functions fi and gi are 
a pair of nonsecret cryptographic functions with 
the following properties: 

a. fi and gi each have two inputs and one 
output. 

b. The notation fl(x.y) = z means that z is 
the output when fi is applied to inputs x and 
y. Likewise, the notation g1(x,z) = y means 
that y is the output when gi is applied to 
inputs x and z. 

c. fi is such that f1(x,y) depends on each of 
the inputs x and y; gi is such that g1(x,z) 
depends on each of the inputs x and z. 

d. fi and gi are such that if f1(x,y) = z, then 
g1(x,z) = y. In effect, when the first input 
parameter of fi and gi are set equal, then gi 
becomes the inverse of fi . Loosely speaking, 
the first input parameters of fi and gi are 
cryptographic keys. 

e. fl(x,y) is easily calculated from x and y. 
Likewise, g1(x,z) is easily calculated from x 
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and z. 

f. For any given f1(x,y) = z, where z and y 
are known and x is unknown, it is computa- 
tionally infeasible to calculate x from y and z. 
Likewise, for any given g1(x ( z) = y, where z 5 
and y are known and x is unknown, it is 
computationally infeasible to calculate x from 

y and z. With respect to the use of ft and gi 
in the present arrangement, this property pro- 
tects the secrecy of the fixed secret cryp- 10 
tographic key x even if the secret distributed 
key y should be compromised. 

g. For any given f1(x.y) = z f where z is 
known and x and y are unknown, it is com- 
putationally infeasible to calculate y from z. 75 
Likewise, for any given g1(x,z) = y, where z 

is known and x and y are unknown, it is 
computationally infeasible to calculate y from 
z. This protects the secrecy of the dynam- 
ically distributed secret key y. 20 

h. For any given f1(x,y) = z, where z is 
known and x and y are unknown, it is com- 
putationally infeasible to find a / and zr, 
where t may be equal to z, which satisfy the 
relationship f1(x,/) = z\ Likewise, for any 25 
given g1(x,z) = y, where z is known and x 

and y are unknown, it is computationally in- 
feasible to find a y* and a z'. where t may be 
equal to z, which satisfy the relationship g1- 
(x.z') = This prevents an opponent from 30 
forging a dynamically distributed key y that 
will be accepted by a using station. 

2. Referring to Figure 5, function h is a non- 
secret cryptographic function with the following 
properties: 35 

a. f2 has two inputs and one output. 

b. The notation f2(x,y) = z means that z is 
the output when h is applied to inputs x and 

y. 

c. f2 is such that f2(x,y) depends on each of 40 
the inputs x and y. 

d. f2(x,y) is easily calculated from x and y. 

e. For any given f2(x,y) = z, where y and z 
are known and x is unknown, it is computa- 
tionally infeasible to calculate x from y and z. 45 
This protects the secrecy of the dynamically 
distributed secret key x. 

f. For any given f2(x,y) = z, where y and z 
are known and x is unknown, it is computa- 
tionally infeasible to find a / * y and a z\ so 
where z' may be equal to z, such that f2(xy) 

= z\ This prevents an opponent from forging 
a control value C and an authentication code 
that will be properly authenticated and ac- 
cepted by a using station. 55 

3. Referring to Figure 6, functions f3 and g3 are 
a pair of nonsecret cryptographic functions with 
the following properties: 



a. f3 and g3 each have two inputs and one 
output. 

b. The notation f3(x,y) = z means that z is 
the output when f3 is applied to inputs x and 
y. Likewise, the notation g3(x,z) = k means 
that k is the output when g3 is applied to 
inputs x and z. The value of k is the dynam- 
ically produced secret key being distributed. 

c. fs is such that f3(x,y) depends on input y, 
but may or may not depend on input x. This 
distinguishes function f3 from function ft . 

d. Unlike functions fi and gi. where f1(x,y) = 
z implies that g1(x,z) = y, functions f3 and gs 
are such that f3(x,y) = z does not imply that 
g3(x,z) = y. This property may or may not 
hold for f3 and g3. The critical feature here is 
that fs and g3 are less restrictive than func- 
tions fi and gi , whereas, at the same time, 
they are such that the secret key k can be 
dynamically produced, distributed and recov- 
ered because of the guaranteed functional 
relationship g3(x f f3(x,y)) = k. In effect, f3 and 
g3 permit a key distribution using one way 
functions rather than by using encryption and 
decryption, which are, by definition, revers- 
ible or two way functions. 

e. f3(x,y) is easily calculated from x and y. 
Likewise, g3(x,z) is easily calculated from x 
and z. 

f. For any given f3(x,y) = z, where z and y 
are known and x is unknown, it is computa- 
tionally infeasible to calculate x from y and z. 
Likewise, for any given g3(x.z) = k, where z 
and k are known and x is unknown, it is 
computationally infeasible to calculate x from 
k and z. This protects the secrecy of the 
fixed secret cryptographic key x even if the 
secret distribution key y should become com- 
promised. 

g. For any given g3(x,z) = k, where z is 
known and x and k are unknown, it is com- 
putationally infeasible to calculate k from z. 
This protects the secrecy of the dynamically 
distributed secret key k. 

h. If function f3 is such that k can be derived 
easily from y, or from y and other nonsecret 
data presumed available, then for any given 
f3(x,y) = z, where z is known and x and y 
are unknown, it is computationally infeasible 
to calculate y from z. Again, this protects the 
secrecy of the dynamically distributed secret 
key k. 

i. For any given g3(x,z) = k, where z is 
known and x and k are unknown, it is com- 
putationally infeasible to find a z* and W which 
satisfy the relationship g3(x^) = W. This 
prevents an opponent from forging a dynam- 
ically distributed key k that will be accepted 
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by a using station. 

j. If function f3 is such that k can be derived 
easily from y. or from y and other nonsecret 
data presumed available, then for any given 
f3(x,y) = z, where z is known and x and y 5 
are unknown, it is computationally infeasible 
to find a / and z*. where ± may be equal to 
z, which satisfy the relationship f3(xy) = 
Again, this prevents an opponent from forging 
a dynamically distributed key k that will be io 
accepted by a using station. 

4. Referring to Figure 7, function f* is a non- 
secret cryptographic function with the following 
properties: 

a. U has three inputs and one output. 75 

b. The notation f4(w,x,y) = z means that z is 
the output when U is applied to inputs w, x 
and y. 

c. f* is such that f4(w,x,y) depends on each 

of the inputs w, x and y. 20 

d. f4(w,x,y) is easily computed from w, x and 

y- 

e. For any given f4(w,x,y) = z, where x, y 
and z are known and w is unknown, it is 
computationally infeasible to calculate w from 25 
x, y and z. This protects the secrecy of the 
dynamically distributed secret key w. 

f. For any given f4(w,x,y) = z, where x, y and 
z are known and w is unknown, it is computa- 
tionally infeasible to find an x', / and z / , 30 
where x* or / or both x* and / are different 
from x and y, respectively, which satisfy the 
relationship f4(w i x / ,/) = z*. This prevents an 
opponent from forging a control value C and 

an authentication code for given pubic value 35 
PV, which will be properly authenticated and 
accepted by a using station. 

5. Referring to Figure 8, functions fs and gs are 
a pair of nonsecret cryptographic functions with 

the following properties: 40 

a. fs and gs each have three inputs and one 
output. 

b. The notation f5(w,x,y) = z means that z is 
the output when fs is applied to inputs w, x 

and y. Likewise, the notation g5(w,x,z) = y 45 
means that y is the output when gs is applied 
to inputs w, x and z. 

c. fs is such that f5 (w,x,y) depends on each 
of the inputs w, x and y. gs is such that g5- 
(w,x,y) depends on each of the inputs w, x 50 
and z. 

d. fs and gs are such that if f5(w,x,y) = z, 
then g5(w,x,z) = y. In effect, when the first 
and second input parameters of fs and gs are 

set equal, then gs becomes the inverse of fs . 55 
For practical purposes, the input parameter w 
in functions fs and gs is a fixed secret cryp- 
tographic key. 



e. f5(w,x,y) is easily calculated from w, x and 
y. Likewise, g5(w,x,y) is easily calculated 
from w, x and z. 

f . For any given f5(w,x,y) = z, where z, x and 
y are known and w is unknown, it is computa- 
tionally infeasible to calculate w from z, x and 
y. Likewise, for any given g5(w,x,z) = y, 
where z, x and y are known and w is un- 
known, it is computationally infeasible to cal- 
culate w from z, x and y. This protects the 
secrecy of the fixed secret cryptographic key 
w even if the secret distributed key y should 
become compromised. 

g. For any given f5(w,x,y) = z, where z and x 
are known and w and y are unknown, it is 
computationally infeasible to calculate y from 
z and x. Likewise, for any given g5(w,x ( z) = 
y, where z and x are known and w and y are 
unknown, it is computationally infeasible to 
calculate y from z and x. This protects the 
secrecy of the dynamically distributed secret 
key y. 

h. For any given f5(w,x,y) = z, where z and x 
are known and w and y are unknown, it is 
computationally infeasible to find an x*. / and 
z\ where t may be equal to z but yd or / or 
both x* and / are different from x and y, 
respectively, which satisfy the relationship f5- 
(w,x\y) = t. Likewise, for any given g5(w,x,z) 
= y, where z and x are known and w and y 
are unknown, it is computationally infeasible 
to find an x', / and z\ where t may be equal 
to z but yd or / or both x' and / are different 
from x and y, respectively, which satisfies the 
relationship g5(w,x',z') = /. This prevents an 
opponent from forging a dynamically distrib- 
uted key y or a control value x or both which 
would be accepted by a using station. 

6. Referring to Figure 9, functions fs and gs are 
a pair of nonsecret cryptographic functions with 
the following properties: 

a. fs and gs each have four inputs and one 
output. 

b. The notation f6(v,w,x,y) = z means that z 
is the output when fs is applied to inputs v, w, 
x, and y. Likewise, the notation g6(v,w,x,z) = 
y means that y is the output when gs is 
applied to inputs v, w, x, and z. 

c. fs is such that f6(v,w,x,y) depends on each 
of the inputs v, w, x, and y. gs is such that 
g6(v,w,x,z) depends on each of the inputs v, 
w, x, and z. 

d. fs and gs are such that if f6(v,w,x,y) = z, 
then g6(v,w,x,z) = y. In effect, when the first, 
second and third input parameters of fs and 
gs are set equal, then gs becomes the in- 
verse of fs. For practical purposes, the input 
parameter v in functions fs and g6 is a fixed 
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secret cryptographic key. 

e. f6(v,w,x,y) is easily calculated from v, w, x 
and y. Likewise, g6(v,w,x,z) is easily calcu- 
lated from v, w, x, and z. 

f. For any given f6(v,w,x f y) = z, where z f w, s 
x, and y are known and v is unknown, it is 
computationally infeasible to calculate v from 

z, w, x, and y. Likewise, for any given g6- 
(v,w,x,z) = y, where z, w, x, and y are known 
and v is unknown, it is computationally in- w 
feasible to calculate v from z, w, x, and y. 
This protects the secrecy of the fixed secret 
cryptographic key w even if the secret dis- 
tributed key y should become compromised. 

g. For any given f6(v,w,x,y) = z, where z, w 75 
and x are known and v and y are unknown, it 

is computationally infeasible to calculate y 
from z, w and x. Likewise, for any given g6- 
(v,w,x,z) = y, where z, w and x are known 
and v and y are unknown, it is computation- 20 
ally infeasible to calculate y from z, w and x. 
This protects the secrecy of the dynamically 
distributed secret key y. 

h. For any given f6(v,w,x,y) = z, where z, y 

and x are known and v and y are unknown, it 25 
is computationally infeasible to find a w\ x*. 
/, and z*. where t may be equal to z but w / 
or x* or / or some combination thereof are 
different from w, x and y, respectively, which 
satisfy the relationship fSfv.w'.x'Y) = z / . Like- 30 
wise for any given g6(v,w,x,z) = y f where z, 
w and x are known and v and y are unknown, 
it is computationally infeasible to find a w', tf, 
/ and z\ where 2! may be equal to z but w* 
or x* or / or some combination thereof are 35 
different from w, x and y, respectively, which 
satisfy the relationship g6(v»w',x',z') = /. This ■ 
prevents an opponent from forging a dynam- 
ically distributed key y or a control value x or 
both for a given using station with associated 40 
public value PV. 

i. For any given g6(v,w,x,z) = y, where w, x 
and z are known and v and y are unknown, it 
is computationally infeasible to find a w*. w*. 

x\ x*. z', and z*, where w* * w* and x* and x* 45 
are two different legitimate values of PV, 
which satisfy the relationship g6(v,w\x',z') = 
g6 (v,w*,x*,z*). Note that the value of function 
gs evaluated with inputs v, w', x*, and z* or 
with inputs, v, w*, x*. and z* does not need to 50 
be known. This property prevents a special 
type of insider attack where two system us- 
ers collude to construct alternate inputs with 
different control values that will allow the 
same distributed secret key / = y* to be 55 
initialized at two different using stations 
whose associated public values are x* and x*, 
even though the users themselves do not 



know the value of / = y*. This specific 
property is needed since the generating sta- 
tion uses the same value of v in function fs 
when calculating the first and second forms 
of the key to be distributed to two different 
using stations. 
Example embodiments for functions fi through 
fe, gi, g3, g&, and gs which satisfy the functional 
definitions given above are provided in Figures 1 1 , 
12, 15, 16, 17, 22, and 23. These are described in 
more detail hereinafter. 

DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

Referring now to Figure 10, a first embodiment 
of a generating station is shown wherein a first and 
second form of a key K are generated via a first 
function fi and a first and second key authentica- 
tion code are generated via a second function h- In 
Figure 10, there is shown a data base 100 and a 
cryptographic facility 110 containing a command 
decoder 115, a random key generator 120, a gen- 
erate key function 130, a command port 140, an 
input port 145, and an output port 150. Each using 
station i shares a unique secret transport key, KRi, 
with the generating station, which is used by the 
generating station to encrypt and forward data keys 
to that using station. These transport keys, KR1, 
KR2, KRn, are encrypted under a prescribed 
variant of the master key of the generating station, 
KM', and this list of encrypted transport keys, 
which is indexed by the IDs of the using stations, is 
stored in data base 100. 

Those skilled in the art will understand that the 
generating station also has a central processing 
unit (CPU) which manages and controls the key 
generation process. The CPU (not shown) deter- 
mines the IDs of the using stations for which keys 
are to be generated, it determines the control val- 
ues associated with the keys for each using station, 
it accesses encrypted transport keys from the data 
base 100, and it issues generate key commands to 
the cryptographic facility 110 together with the ap- 
propriate control values and encrypted keys. Since 
CPUs and the processes performed by them in this 
context are well known in the art, no further de- 
scription of the CPU and the operations performed 
by it are needed for an understanding of the 
present invention. 

The steps involved in generating a data key K 
for using stations i and j can be traced in Figure 
10. The CPU first determines that a data key is to 
be distributed to using stations i and j, i.e., with 
identifiers IDi and IDj, and that the control values at 
using stations i and j are Ci and Cj, respectively. 
The identifiers IDi and IDj are used via line 160 to 
access the encrypted transport keys eKM' (KRi) 
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and eKM' (KRj), from data base 100, and these 
encrypted keys are read out on line 165. A 
"generate key" command on line 170 is input to 
command port 140 of the cryptographic facility. 
The encrypted transport keys, eKM* (KRi) and eKM' s 
(KRj), and the control values, Ci and Cj, are pre- 
sented as data inputs at input port 145. In response 
to the "generate key" command, the command 
decoder at 115 produces an active generate key 
function on line 125, which enables the generate to 
key function 130. Once enabled, the generate key 
function 130 will accept inputs Cj, eKM' (KRj), Ci, 
and eKM' (KRi), from input port 145 and a random 
data key K from random key generator 120. 

The inputs are processed as follows. The value 75 
eKM' (KRi) is decrypted at 131 under master key 
variant KM'. KM' is a dynamically generated variant 
of the master key, KM, where KM is stored in the 
key and parameter storage of the cryptographic 
facility 110, as shown in Figure 2, and is available 20 
for use by the generate key function 130. The 
decrypted output KRi and the data key K are 
processed via combining function fi at 133 to pro- 
duce output f1(KRi,K). The data key K and the 
input control value Ci are processed via combining 25 
function h at 134 to produce output f2(K,Ci). The 
value eKM' (KRj) is decrypted at 132 under master 
key variant KM'. The decrypted output KRj and the 
data key K are processed via combining function fi 
at 135 to produce output f1(KRj,K). The data key K 30 
and the input control value Cj are processed via 
combining function h at 136 to produce output f2- 
(K,Cj). The four values f1(KRi,K), f2(K.Ci). f1(KRj,K), 
and f2(K,Cj) are then presented as outputs at out- 
put port 150, and appear on lines 151, 152, 153, 35 
and 154, respectively. 

Those skilled in the art will understand that the 
serial data represented by f1(KRi,K) on line 151 
and the serial data f2(K,Ci) on line 152 are loaded 
into respective shift registers and are read out in aq 
parallel to an output buffer. The output buffer is 
loaded in parallel with a header and synchronizing 
data from another register. The data in the output 
buffer is then read out serially and sent to using 
station i over a communication link in a conven- 45 
tional manner. In like manner, the serial data repre- 
sented by f1(KRj,K) on line 153 and the serial data 
f2(K,Cj) on line 154 are loaded into respective shift 
registers and are read out into an output buffer. 
The output buffer has a header and synchronizing so 
data. The data in the output buffer is then read out 
and sent to using station j. Obviously, the output 
shift registers and buffer may be multiplexed to 
sequentially transmit data first to using station i and 
then to using station j. 55 

Figure 11 shows an example of an embodi- 
ment for the function fi. As defined, fi has two 
inputs and one output. The inputs K and KR. fi 



comprises an encryption facility E whereby input K 
is encrypted with KR to provide an output eKR(K). 

Figure 12 shows an example of an embodi- 
ment for the function h. As defined, h has two 
inputs and one output. In this case, the inputs are 
K and C. h comprises an encryption facility E 
whereby input C is encrypted with K. f2 also com- 
prises an exclusive OR logic which combines the 
output of the encryption facility with C to produce 
the output eK(C) e C. 

Referring now to Figure 13, a second embodi- 
ment of a generating station is shown wherein a 
first and second form of a key K are generated via 
a third function f3 and a first and second key 
authentication code are generated via a fourth func- 
tion g3, which is related to function f3, and a fourth 
function U. In Figure 13, there is shown a data 
base 200 of encrypted keys, a data base 205 of 
public values, and a cryptographic facility 210 con- 
taining a command decoder 215, a random number 
generator 220, a generate key function 230, a com- 
mand port 240, an input port 245. and an output 
port 250. Each pair of using stations i and j that 
can communicate share a common secret transport 
key KRij, which is also shared with the generating 
station. The generating station uses KRij to gen- 
erate certain cryptovariables which are then sent to 
using stations i and j. These received cryptovaria- 
bles are sufficient to allow using stations i and j to 
regenerate a common data key K. By referring to 
the combining functions fa and ga. it will be more 
fully appreciated that key distribution is accom- 
plished, loosely speaking, via one-way functions 
instead of using a method of encrypting K at the 
generating station and decryption to recover K at 
the receiving using stations. These transport keys, 

KR1,2, KR1.3 KRn,n-1, are encrypted under a 

prescribed variant of the master key of the generat- 
ing station, KM', and this list of encrypted transport 
keys, which is indexed by the respective IDs of the 
using stations, is stored in data base 200. 

Also associated with each using station i is a 
public value, PVi. These public values are used to 
cryptographically distinguish and separate the 
cryptovariables designated for and transmitted to 
each respective using station, and the procedure 
for key distribution is such that the cryptovariables 
produced and sent to using station i cannot be 
beneficially used or misused at another using sta- 
tion j. These public values PV1, PV2, .... PVn, 
indexed by the ID of the using station, are stored in 
data base 205. 

The generating station also has a central pro- 
cessing unit (CPU) which manages and controls 
the key generation process. The CPU determines 
the IDs of the using stations for which keys are to 
be generated, it determines the control values as- 
sociated with the keys for each using station, it 



11 



21 



EP 0 292 790 B1 



22 



accesses encrypted keys and public values from 
the data base, and it issues generate key com- 
mands to the cryptographic facility together with 
the appropriate control values, public values, and 
encrypted keys. 

The steps involved in generating a data key K 
for using stations i and j can be traced in Figure 
13. The CPU first determines that a data key is to 
be distributed to using stations i and j, i.e., with 
identifiers IDi and IDj, that the control values at 
using stations i and j are Ci and Cj, respectively, 
and that the public values at using stations i and j 
are PVi and PVj, respectively. The identifiers IDi 
and IDj are used via line 260 to access the encryp- 
ted transport key eKM' (KRij) from data base 200, 
and this encrypted key is read out on line 261 . The 
identifiers IDi and IDj are also used via line 262 to 
access the public values PVi and PVj from data 
base 205, and these public values are read out on 
line 263. A "generate key" command on line 270 is 
input to command port 240 of the cryptographic 
facility 210. The encrypted transport key eKM' - 
(KRij), the public values PVi and PVj, and the 
control values Ci and Cj are presented as data 
inputs at input port 245. In response to the 
"generate key" command, the command decoder 
215 produces an active generate key function on 
line 225, which enables the generate key function 
230. Once enabled, the generate key function 230 
will accept the inputs eKM' (KRij), PVj, Cj, PVI, and 
Ci from input port 245 and a random number RN 
from random number generator 220. 

The inputs are processed as follows. The value 
eKM' (KRij) is decrypted at 231 under master key 
variant KM'. KM' is a dynamically generated variant 
of the master key, KM, where KM is stored in the 
key and parameter storage of the cryptographic 
facility, as shown in Figure 2, and is available for 
use by the generate key function 230. The decryp- 
ted output KRij and the random number RN are 
processed via combining function f 3 at 232 to pro- 
duce output f3(KRij,RN). The decrypted output KRij 
and the so-produced output f3(KRij,RN) are pro- 
cessed via combining function ga at 233 to pro- 
duce output data key K. The data key K, the input 
control value Ci, and the input public value PVi are 
processed via combining function U at 234 to pro- 
duce output f4(K,Ci,PVi), and the data key K, the 
input control value Cj, and the input public value 
PVj are processed via combining function U at 235 
to produce output f4(K,Cj,PVj). The three values f3- 
(KRij.RN), f4(K,Ci,PVi), and f4(K,Cj.PVj) are then 
presented as outputs at output port 250 and appear 
on output lines 251, 252 and 253, respectively. 

The serial data represented by f4(K,Ci,PVi) on 
line 252 and the serial data f3(KRij,RIM) on line 251 
are loaded into respective shift registers and are 
read out in parallel to an output buffer. The output 



buffer is loaded with a header and synchronizing 
data from another register. The data is the output 
buffer is then read out serially and sent to using 
station i. In like manner, the serial data represented 

s by f4(K,Cj,PVj) on line 253 and the serial data f3- 
(KRij.RN) on the fine 251 are loaded into respective 
shift registers and are read out in parallel to the 
output buffer. The output buffer is loaded with a 
header and synchronizing data from another regis- 

10 ter. The data in the output buffer is read out serially 
and transmitted to using station j. 

Figure 14 shows an example of an embodi- 
ment of the functions fa and ga- As defined, each 
of these functions has two inputs and one output. 

75 In the case of f3, the inputs are KR and RN; 
however, the output is a straight through connec- 
tion of the input RN. In the case of g3, the inputs 
are again KR and RN. ga comprises an encryption 
facility E in which RN is encrypted under KR. g 3 

20 also comprises an exclusive OR logic which com- 
bines the output of the encryption facility E with the 
input RN to produce the output eKR(RN) e RN, 
where eKR(RN) © RN is defined as the data key K. 
Figure 15 shows another example of an em- 

25 bodiment of the functions f3 and ga. In this case, f3 
comprises an encryption facility E which encrypts 
RN under KR to produce the output eKR(RN). g 3 
comprises a decryption facility D which decrypts 
eKR(RN) under KR to produce RN as the output, 

30 where RN is defined as the data key K. 

Figure 16 shows an example of an embodi- 
ment of the function f*. By definition, U has three 
inputs and one output. The inputs are K, C and PV. 
fi comprises first and second encryption facilities E 

35 and exclusive OR logic. The first encryption facility 
encrypts C under K to produce eK(C) which is 
combined in the exclusive OR logic with PV to 
produce eK(C) © PV. The output of the exclusive 
OR logic is encrypted under the second encryption 

40 facility to produce to output function f4(K,C,PV). 

Figure 17 shows another example of an em- 
bodiment of the function f*. In this example, there 
are three encryption facilities and three exclusive 
OR logics. The first encryption facility encrypts K 

45 under Kl, where Kl is a fixed nonsecret key, to 
produce eKI(K) which is exclusive ORed with K to 
yield eKI(K) © K. This output, which will be referred 
to as Kl, is used to encrypt C in the second 
encryption facility, the output of which is exclusive 

so ORed with C to produce eK1(C) © C. This output, 
which will be referred to as K2, is in turn used to 
encrypt PV in the third encryption facility, the out- 
put of which is exclusive ORed with PV to provide 
the output eK2(PV) © PV = f4(K,C,PV). 

55 Referring now to Figure 18, there is shown a 

first embodiment of a using station related to the 
first embodiment of the generating station shown in 
Figure 10 wherein the received key K is recovered 

12 
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via a function gi , which is related to the function fi , 
and wherein the received key authentication code 
is authenticated via the function h. Figure 18 
shows a data base 300 and a cryptographic facility 
310 containing a command decoder 315, and 5 
"operation allowed" procedure 320, an "abort op- 
eration" procedure 327, a check procedure 330, a 
command port 340, an input port 345, an output 
port 350, and microcode 380 to perform a re- 
quested operation. Each using station i shares a w 
unique secret transport key, KRi, with the genera- 
tion station, which is used by the receiving station 
to receive encrypted data keys from the generating 
station. The transport keys shared with each gen- 
erating station are encrypted under a prescribed 75 
variant of the master key of the using station, KM', 
and these encrypted transport keys are stored in 
data base 300. If there were only one generating 
station and one key shared with that generation 
station, then there would be only one encrypted 20 
transport key in data base 300. The encrypted 
transport keys in data base 300 are indexed by an 
identifier, here referred to as "ID of KR", which 
uniquely identifies each key in the list. Thus, in 
Figure 18, "ID of KRi" refers to a particular KRi 25 
which using station i has shared with the generat- 
ing station, and is the same KRi used by the 
generating station to communicate with using sta- 
tion i. 

The using station also has a central processing 30 
unit (CPU) which manages and controls the key 
recovery and key usage process. The CPU (not 
shown) receives a formatted message from the 
generating station, which contains the ID of the 
generating station, the IDi of the intended receiving 35 
station, the ID of KRi, a control value Ci, a first 
value f1(KRi,K) f and a second value f2(K,Ci). The 
CPU parses messages received from the generat- 
ing station, extracts data parameters, accesses en- 
crypted transport keys from its data base, and 40 
presents key and data parameters to the cryp- 
tographic facility 310 in conjunction with requested 
cryptographic operations. 

The steps involved in using a data key K at 
using station i can be traced in Figure 18. The CPU 45 
first determines that a received data key K is to be 
used in a specific requested cryptographic opera- 
tion. Using the received value of "ID of KRi", the 
encrypted transport key eKM'(KRi) is accessed 
from the data base 300 via line 360, and the so 
encrypted key is read out on line 365. A requested 
operation on line 370 is input to command port 340 
of the cryptographic facility. The encrypted trans- 
port key eKM'(KRi) accessed from data base 300, 
the control value Ci, value fl(KRi.K), and value f2- 55 
(K,Ci) extracted from the received message, and 
other inputs necessary to the requested crypto- 
graphic operation, are presented as data inputs at 



input port 345. In response to the requested opera- 
tion, the command decoder 315 activates the 
"operation allowed" procedure 320. Once enabled, 
the "operation allowed" procedure 320 will accept 
inputs f2(K f Ci), Ci, fl(KRi.K), and eKM'(KRi) from 
input port 345. These inputs are temporarily stored 
in the cryptographic facility 310. Using the just 
read value of Ci, the "operation allowed" procedure 
320 determines whether the usage of data key K in 
the requested operation is authorized or granted on 
the basis of data in the control value Ci. If so, then 
the "operation allowed" procedure 320 produces 
an activate check procedure on line 325 that en- 
ables the check procedure 330. If the use is not 
authorized, then the "operation allowed" procedure 
320 produces an activate abort on line 326. Once 
enabled, the abort operation 327 erases the inputs 
read from input port 345 and temporarily stored in 
the cryptographic facility 310 and enables another 
requested operation via command port 340. Once 
enabled, the check procedure 330 will accept in- 
puts f2(K,Ci), Ci, f1(KRi,K), and eKM'(KRi), which 
have been temporarily stored in the cryptographic 
facility 310. 

The inputs are processed as follows. The value 
eKM'(KRi) is decrypted at 331 under master key 
variant KM'. KM' is a dynamically generated variant 
of the master key KM, where KM is stored in the 
key and parameter storage of the cryptographic 
facility 310, as shown in Figure 2, and is available 
for use by the check procedure 330. The decryp- 
ted output KRi and the input value f1(KRi,K) are 
processed via combining function gi at 332 to 
produce output data key K. The so-produced data 
key K and the input control value Ci are processed 
via combining function f2 at 333 to produce output 
f2(K,Ci). The so-produced value f2(K,Ci) and the 
input value f2(K,Ci) are compared for equality at 
334. If not equal, then an activate abort operation is 
produced on line 328. If equal, then an activate 
"microcode to perform requested operation" is pro- 
duced on line 329. Once enabled, the abort opera- 
tion 327 erases the inputs read from input port 345 
and temporarily stored in the cryptographic facility 
310 and enables another requested operation via 
command port 340. Once enabled, the microcode 
to perform requested operation 380 will accept 
input to requested operation on line 381 via input 
port 345 and the so-produced data key K on line 
382, which is the output from combining function 
gi at 332. The requested operation is then per- 
formed at 380 using these key and data inputs. 
The output of the requested operation 380 is then 
presented at output port 250 and appears on line 
383. 

Referring now to Figure 19, there is shown a 
second embodiment of a using station related to 
the second embodiment of the generating station 
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shown in Figure 13 wherein the data key K is 
regenerated or recovered via a function 93, which 
is related to function f3. and wherein the received 
key authentication code is authenticated via the 
function ft. Figure 19 shows a data base 400 and a 5 
cryptographic facility 410 containing a command 
decoder 415, an "operation allowed" procedure 
420. an "abort operation" procedure 427, a check 
procedure 430. a command port 440, an input port 
445, an output port 450, and microcode to perform 70 
requested operation 480. Each pair of using sta- 
tions i and j share a unique secret transport key. 
KRij, which is also shared with the generating 
station. The transport key KRij is used by using 
station i to recover or regenerate data keys from 15 
information received from a generating station, 
where the so-recovered or so-regenerated data 
keys will be used for communication with using 
station j t and vice versa. The transport keys shared 
in common with each other using station, and also 20 
with the generating station, are encrypted under a 
prescribed variant of the master key of the receiv- 
ing station, KM', and these encrypted transport 
keys are stored in data base 400. The encrypted 
transport keys in data base 400 are indexed by an 25 
identifier which uniquely relates the key to using 
station j. Thus, in Figure 19, the term "ID of KRij" 
is the identifier of KRij, which is the transport key 
that using station i shared with using station j. 

The using station also has a central processing 30 
unit (CPU) which manages and controls the key 
recovery and key usage process. The CPU re- 
ceives a formatted message from the generating 
station, which contains the ID of the generating 
station, the IDi of the intended using station, the ID 35 
of KRij, a control value Ci, a first value f4{K.Ci,PVi), 
and a second value f3(KRij,RN). The CPU parses 
messages received from the generating station, 
extracts data parameters, accesses encrypted 
transport keys from its data base, and presents key 40 
and data parameters to the cryptographic facility 
410 in conjunction with requested cryptographic 
operations. 

The steps involved in using a data key K at 
using station i can be traced in Figure 19. The CPU 45 
first determines that a received data key K is to be 
used in a specific requested cryptographic opera- 
tion. Using the received value of "ID of KRij". the 
encrypted transport key eKM'(KRij) is accessed 
from the data base 400 via line 460, and the so 
encrypted key is read out on line 465. A requested 
operation on line 470 is input to command port 440 
of the cryptographic facility 410. The encrypted 
transport key eKM'(KRij) accessed from data base 
400, the value f4(K.Ci,PVi) t control value Ci, and ss 
value f3(KRij.RN) extracted from the received mes- 
sage, and other inputs necessary to the requested 
cryptographic operation but not received in the 



same message from the generating station, are 
presented as data inputs at input port 445. In 
response to the requested operation, the command 
decoder at 415 activates the "operation allowed" 
procedure 420. Once enabled, the "operation al- 
lowed" procedure 420 will accept inputs f4- 
(K,Ci,PVi), Ci, f3(KRij,RN) and eKlvT(KRij) from in- 
put port 445. These inputs are temporarily stored in 
the cryptographic facility 410. Using the just read 
value of Ci, the "operation allowed" procedure de- 
termines whether the usage of data key K in the 
requested operation is authorized or granted on the 
basis of data in the control value Ci. If so. then the 
"operation allowed" produces an activate check 
procedure on line 425. which enables the check 
procedure 430. If not. then the "operation allowed" 
procedure 420 produces an activate abort opera- 
tion on line 426. Once enabled, the abort operation 
427 erases the inputs read from input port 445 and 
temporarily stored in the cryptographic facility 410 
and enables another requested operation via com- 
mand port 440. Once enabled, the check proce- 
dure 430 will accept inputs f4(K,Ci,PVi), Ci, f3- 
(KRij.RN), and eKM'(KRij) which have been tem- 
porily stored in the cryptographic facility 410. 

The inputs are processed as follows. The value 
eKM'(KRij) is decrypted at 431 under master key 
variant KM'. KM' is a dynamically generated variant 
of the master key KM, where KM is stored in the 
key and parameter storage of the cryptographic 
facility 410, as shown in Figure 2, and is available 
for use by the check procedure 430. The decryp- 
ted output KRij and the input value f3(KRij,RN) are 
processed via combining function g 3 at 432 to 
produce output data key K. The so-produced data 
key K, the input control value Ci, and public value 
PVi are processed via combining function f* at 433 
to produce output f4(K,Ci,PVi). The public value 
PVi associated with using station i is stored in the 
key and parameter storage of the cryptographic 
facility 410, as shown in Figure 2, and is available 
for use by the check procedure 430. The so- 
produced value f4(K,Ci,PVi) and the input value f4- 
(K,Ci,PVi) are compared for equality at 434. If not 
equal, then an activate abort operation is produced 
on line 428; but if equal, an activate "microcode to 
perform requested operation" is produced on line 
429. Once enabled, the abort operation 427 erases 
the inputs read from input port 445 and temporarily 
stored in the cryptographic facility 410 and enables 
another requested operation via command port 
440. Once enabled, the microcode to perform re- 
quested operation 480 will accept input to request- 
ed operation on line 481 via input port 445 and the 
so-produced key K on line 482, which is the output 
from combining function Q3 at 432. The requested 
operation is then performed at 480 using these key 
and data inputs. The output of the requested op- 
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eration 480 is then presented at output port 450 
and appears on line 483. 

Referring now to Figure 20, there is shown a 
third embodiment of a generating station wherein a 
first and second form of a key K are generated via 
a fifth function fs. In Figure 20, there is shown a 
data base 500 and a cryptographic facility 510 
containing a command decoder 515, a random key 
generator 520. a generate key function 530, a com- 
mand port 540, an input port 545, and an output 
port 550. Each using station i shares a unique 
secret transport key, KRi, with the generating sta- 
tion, which is used by the generating station to 
encrypt and forward data keys to that using station. 
These transport keys, KR1, KR2 KRn, are en- 
crypted under a prescribed variant of the master 
key of the generating station, KM', and this list of 
encrypted transport keys, which is indexed by the 
IDs of the using stations, is stored in data base 
500. 

The generating station also has a central pro- 
cessing unit (CPU) which manages and controls 
the key generation process. The CPU determines 
the IDs of the using station for which keys are to 
be generated, it determines the control values as- 
sociated with the keys for each using station, it 
accesses encrypted keys from the data base, and 
it issues generate key commands to the cryp- 
tographic facility together with the appropriate con- 
trol values and encrypted keys. 

The steps involved in generating a data key K 
for using stations i and j can be traced in Figure 
20. The CPU first determines that a data key is to 
be distributed to using stations i and j, i.e., with 
identifiers IDi and IDj, and that the control values at 
using stations i and j are Ci and Cj, respectively. 
The identifiers IDi and IDj are used via line 560 to 
access the encrypted transport keys, eKM'(KRi) 
and eKM'(KRj), from the data base 500, and these 
encrypted keys are read out on line 565. A 
"generate key" command on line 570 is input to 
command port 540 of the cryptographic facility 
510. The encrypted transport keys, eKM'(KRi) and 
eKM'(KRj), and the control values Ci and Cj, are 
presented as data inputs at input port 545. In 
response to the "generate key" command, the 
command decoder 515 produces an active gen- 
erate key function on line 525, which enables the 
generate key function 530. Once enabled, the gen- 
erate key function 530 will accept inputs Cj, eKM'- 
(KRj), Ci, and eKM'(KRi) from input port 545 and a 
random data key K from random key generator 
520. 

The inputs are processed as follows. The value 
eKM'(KRi) is decrypted at 531 under master key 
variant KM'. KM' is a dynamically generated variant 
of the master key KM, where KM is stored in the 
key and parameter storage of the cryptographic 



facility 510, as shown in Figure 2, and is available 
for use by the generate key function 530. The 
decrypted output KRi, the control value Ci, and the 
data key K are processed via combining function fs 

s at 533 to produce output f5(KRi,Ci,K). The value 
eKM'(KRj) is decrypted at 532 under master key 
variant KM'. The decrypted output KRj, the control 
value Cj, and K are processed via combining func- 
tion f 5 at 534 to produce output f5(KRj,Cj,K). The 

io two values f5(KRi,Ci.K) and f5(KRj,Cj,K) are then 
presented as outputs at output port 550 and appear 
on output lines 551 and 552, respectively. 

The serial data represented by f5(KRi,Ci,K) on 
line 531 is loaded into a shift register and read out 

75 into an output buffer. The output buffer is also 
loaded with a header and synchronizing data. The 
data in the output buffer is then read out serially 
and sent to using station i. In like manner, the 
serial data represented by f5(KRj,Cj,K) on line 552 

20 is loaded into a shift register and read out into an 
output buffer. The output buffer is also loaded with 
a header and synchronizing data. The data in the 
output buffer is then read out serially and sent to 
using station j. 

25 Referring now to Figure 21, there is shown a 

fourth embodiment of a generating station wherein 
a first and second form of a key K are generated 
via a sixth function f6 . In Figure 21 , there is shown 
a data base 600 of encrypted transport keys, a 

30 data base of public values 605, and a crypto- 
graphic facility 610 containing a command decoder 
615, a random key generator 620, a generate key 
function 630, a command port 640, an input port 
645, and an output port 650. Each pair of using 

35 stations i and j that can communicate share a 
common secret transport key KRij, which is also 
shared with the generated station. The generating 
station uses KRij to encrypt and forward data keys 
to using stations i and j. These transport keys, 

40 KR1 f 2, KR1.3,..., KRn.n-1, are encrypted under a 
prescribed variant of the master key of the generat- 
ing station, KM', and this list of encrypted transport 
keys, which is indexed by the respective IDs of the 
using stations, is stored in data base 600. 

45 Also associated with each using station i is a 

public value, PVi, which is used by the generating 
station to distinguish data keys sent to using sta- 
tion i via transport key KRij from data keys sent to 
using station j, also via transport key KRij. These 

so public values PV1, PV2 PVn, indexed by the ID 

of the using station, are stored in data base 605. 

The generating station also has a central pro- 
cessing unit (CPU) which manages and controls 
the key generation process. The CPU determines 

55 the IDs of the using stations for which keys are to 
be generated, it determines the control values as- 
sociated with the keys for each using station, it 
accesses encrypted keys and public values from 

15 
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the data base, and it issues generate key com- 
mands to the cryptographic facility together with 
the appropriate control values, public values, and 
encrypted keys. 

The steps involved in generating a data key K 
for using stations i and j can be traced in Figure 
21. The CPU first determines that a data key is to 
be distributed to using stations i and j, i.e., with 
identifiers IDi and IDj, that the control values at 
using stations i and j are Ci and Cj, respectively, 
and that the public values at using stations i and j 
are PVi and PVj, respectively. The identifiers IDi 
and IDj are used via line 660 to access the encryp- 
ted transport key eKM'(KRij) from data base 600, 
and this encrypted key is read out on line 661. The 
identifiers IDi and IDj are also used via line 662 to 
access the public values PVi and PVj from data 
base 605, and these public values are read out on 
line 663. A "generate key" command on line 670 is 
input to command port 640 of the cryptographic 
facility 610. The encrypted transport key eKM' - 
(KRij), the public values PVi and PVj, and the 
control values Ci and Cj are presented as data 
inputs at input port 645. In response to the 
"generate key" command, the command decoder 
615 produces an active generate key function on 
line 625, which enables the generate key function 
630. Once enabled, the generate key function 630 
will accept inputs eKM'(KRij), PVj, Cj, PVi, and Ci 
from input port 645 and a random data key K from 
random key generator 620. 

The inputs are processed as follows. The value 
eKM'(KRij) is decrypted at 631 under master key 
variant KM'. KM' is a dynamically generated variant 
of the master key KM, where KM is stored in the 
key and parameter storage of the cryptographic 
facility 610, as shown in Figure 2, and is available 
for use by the generate key function 630. The 
decrypted output KRij, the control value Ci, the 
public value PVi, and the random data key K are 
processed via combining function k at 632 to pro- 
duce output f6(KRij,Ci,PVi,K). The decrypted output 
KRij, the control value Cj, the public value PVj, and 
the random data key K are processed via combin- 
ing function f6 at 633 to produce output f6- 
(KRij.Cj.PVj.K). The two values f6(KRij.Ci,PVi,K) 
and f6(KRij,Cj,PVj,K) are then presented as outputs 
at output port 650 and appear on lines 651 and 
652, respectively. 

The serial data represented by f6(KRij,Ci,PVi,K) 
on line 651 is loaded into a shift register and read 
out in parallel to an output buffer. The output buffer 
is also loaded with a header and synchronizing 
data. The data in the output buffer is then read out 
serially and sent to using station i. In like manner, 
the serial data represented by f6(KRij,Cj,PVj,K) on 
line 652 is loaded into a shift register and read out 
in parallel to the output buffer. The output buffer is 



also loaded with a header and synchronizing data. 
The data in the output buffer is then read out 
serially and sent to using station j. 

Figure 22 shows an example of an embodi- 

s ment of function fs and a related function gs. By 
definition, these functions have three inputs and 
one output. In the case of fs. the inputs are KR, C 
and K. fs comprises first and second encryption 
facilities. In the first encryption facility, K is encryp- 

10 ted under C to produce eC(K). This is in turn 
encrypted under KR in the second encryption fa- 
cility to produce the eKR(eC(K)) = f5(KR,C.K). In 
the case of gs. the inputs are C. KR and f5(KR,C.K) 
= Y. gs comprises first and second decryption 

75 facilities. In the first decryption facility Y is decryp- 
ted under KR to produce dKR(Y). This is in turn 
decrypted under C in the second decryption facility 
to produce g5(KR,C.Y) = K. 

Figure 23 shows an example of an embodi- 

20 ment of function fs and a related function gs. By 
definition, each has four inputs and one output. The 
inputs to fs are KR, PV, C, and K. fs comprises 
first, second and third encryption facilities. In the 
first encryption facility, K is encrypted under C to 

25 produce eC(K). This is in turn encrypted under PV 
in the second encryption facility to produce ePV- 
(eC(K)). Finally, the output of the second encryp- 
tion facility is encrypted under KR in the third 
encryption facility to produce f6(KR,C,PV,K) = Y. 

30 The inputs to gs are C, PV, KR, and Y. g e com- 
prises first, second and third decryption facilities. In 
the first decryption facility, Y is decrypted under 
KR to produce dKR(Y). This is in turn decrypted 
under PV in the second decryption facility to pro- 

35 duce dPV(dKR(Y)). Finally, the output of the sec- 
ond decryption facility is decrypted under C to 
produce the output g6(KR,C,PV,Y) = K. 

Referring now to Figure 24, there is shown a 
third embodiment of a using station related to the 

40 third embodiment of the generating station shown 
in Figure 20 wherein the received key K is recov- 
ered via function gs, which is related to function gs- 
In Figure 24, there is shown a data base 700 and a 
cryptographic facility 710 containing a command 

45 decoder 715, an "operation allowed" procedure 
720, an "abort operation" procedure 727, a key 
recovery function 730, a command port 740, an 
input port 745, an output port 750, and microcode 
780 to perform requested operation. Each using 

so station i shares a unique secret transport key, KRi, 
with the generating station, which is used by the 
receiving station to receive encrypted data keys 
from the generating station. The transport keys 
shared with each generating station are encrypted 

55 under a prescribed variant of the master key of the 
receiving station, Km', and these encrypted trans- 
port keys are stored in data base 700. \f there were 
only one generating station and one key shared 
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with that generating station, then there would be 
only one encrypted transport key in data base 700. 
The encrypted transport keys in data base 700 are 
indexed by an identifier, here referred to as "ID of 
KR", which uniquely identifies each key in the list. 
Thus, in Figure 24, "ID of KR" refers to a particular 
KRi which using station i has shared with the 
generating station, and is the same KRi used by 
the generating station to communicate with using 
station i. 

The using station also has a central processing 
unit (CPU) which manages and controls the key 
recovery and key usage process. The CPU re- 
ceives a formatted message from the generating 
station, which contains the ID of the generating 
station, the IDi of the intended using station, the ID 
of KRi, a control value Ci, and a value f5(KRi,Ci,K). 
The CPU parses messages received from the gen- 
erating station, extracts data parameters, accesses 
encrypted transport keys from its data base, and 
present key and data parameters to the crypto- 
graphic facility in conjunction with requested cryp- 
tographic operations. 

The steps involved in using a data key K at 
using station i can be traced in Figure 24. The CPU 
first determines that a received data key K is to be 
used in a specified requested cryptographic opera- 
tion. Using the received value of "ID of KRi", the 
encrypted transport key eKM'(KRi) is accessed 
from the data base 700 via line 760. and the 
encrypted key is read out on line 765. A requested 
operation on line 770 is input to command port 740 
of the cryptographic facility 710. The encrypted 
transport key eKM'(KRi) accessed from data base 
700, the control value Ci and the value f5(KRi,Ci,K) 
from the received message, and other inputs nec- 
essary to the requested cryptographic operation 
but not received in the same message from the 
generating station, are presented as data inputs at 
input port 745. In response to the requested opera- 
tion, the command decoder 715 activates the 
"operation allowed" procedure 720. Once enabled, 
the "operation allowed" procedure 720 will accept 
inputs f5(KRi,Ci,K), Ci and eKM'(KRi) from input 
port 745. These inputs are temporarily stored in the 
cryptographic facility 710. Using the just read value 
of Ci, the "operation allowed" procedure 720 deter- 
mines whether the usage of data key K in the 
requested operation is authorized or granted on the 
basis of data in the control value Ci. If so. then the 
"operation allowed" procedure 720 produces an 
activate key recovery function on line 725, which 
enables the key recovery function 730. If not, then 
the "operation allowed" procedure 720 produces 
an activate abort operation on line 726. Once en- 
abled, the abort operation 727 erases the inputs 
read from input port 745 and temporarily stored in 
the cryptographic facility 710 and enables another 



requested operation via command port 740. Once 
enabled, the key recovery function 730 will accept 
inputs f5(KRi,Ci.K). Ci and eKM'(KRi). which have 
been temporarily stored in the cryptographic fa- 
5 cility. 

The inputs are processed as follows. The value 
eKM'(KRi) is decrypted at 731 under master key 
variant KM'. KM* is a dynamically generated variant 
of the master key, KM, where KM is stored in the 

w key and parameter storage of the cryptographic 
facility 710, as shown in Figure 2, and is available 
for use by the key recovery function 730. The 
decrypted output KRi and the input values of Ci 
and f5(KRi,Ci,K) are processed via combining func- 

75 tion gs at 732 to produce output data key K. The 
successful completion of the combining function gs 
also raises an activate operation on line 729, which 
enables the microcode that performs the requested 
operation. Once enabled, the microcode to perform 

20 requested operation 780 will accept input to re- 
quested operation on line 781 via input port 745 
and the so-processed data key K on line 782, 
which is input from combining function gs at 732. 
The requested operation is then performed at 780 

25 using these key and data inputs. The output of the 
requested operation 780 is then presented at out- 
put port 750 and appears on line 783. 

Referring now to Figure 25. there is shown a 
fourth embodiment of a using station related to the 

30 fourth embodiment of the generating station shown 
in Figure 21 wherein the received key K is recov- 
ered via function gs. which is related to function h. 
In Figure 25. there is shown a data base 800 and a 
cryptographic facility 810 containing a command 

35 decoder 815, an "operation allowed" procedure 
820. an "abort operation" procedure 827, a key 
recovery function 830, a command port 840, an 
input port 845, an output port 850, and microcode 
870 to perform requested operation. Each pair of 

40 using stations i and j share a unique secret trans- 
port key, KRij, which is also shared with the gen- 
erating station. The transport key KRij is used by 
using station i to recover or regenerate data keys 
from information received from a generating sta- 

45 tion, where the so-recovered or so-regenerated 
data keys will be used for communication with 
using station j, and vice versa. The transport keys 
shared in common with each other using station, 
and also with the generating station, are encrypted 

so under a prescribed variant of the master key of the 
receiving station, KM', and these encrypted trans- 
port keys are stored in data base 800. The encryp- 
ted transport keys in data base 800 are indexed by 
an identifier which uniquely relates the key to using 

55 station j. Thus, in Figure 25, the term "ID of KRij" 
is the identifier of KRij, which is the transport key 
that using station i shares with using station j. 
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The using station also has a central processing 
unit (CPU) which manages and controls the key 
recovery and key usage process. The CPU re- 
ceives a formatted message from the generating 
station, which contains the ID of the generating 
station, the IDi of the intended using station, the ID 
of KRij, a control value Ci, and a value f6- 
(KRij.Ci.PVi.K). The CPU parses messages re- 
ceived from the generating station, extracts data 
parameters, accesses encrypted transport keys 
from its data base, and presents key and data 
parameters to the cryptographic facility in conjunc- 
tion with requested cryptographic operations. 

The steps involved in using a data key K at 
using station i can be traced in Figure 25. The CPU 
first determines that a received data key K is to be 
used in a specific requested cryptographic opera- 
tion. Using the received value of n ID of KRij", the 
encrypted transport key eKM' (KRij) is accessed 
from the data base 800 via line 860, and the 
encrypted key is read out on line 865. A requested 
operation on line 870 is input to command port 840 
of the cryptographic facility 810. The encrypted 
transport key eKM' (KRij) accessed from data base 
800, the value f6(KRij,Ci,PVi,K) and control value Ci 
extracted from the received message, and other 
inputs necessary to the requested cryptographic 
operation but not received in the same message 
from the generating station, are presented as data 
inputs at input port 845. In response to the re- 
quested operation, the command decoder 815 ac- 
tivates the "operation allowed" procedure 820. 
Once enabled, the "operation allowed" procedure 
820 will accept inputs f6(KRij,Ci.PVi 1 K) l Ci, and 
eKM'(KRij) from input port 845. These inputs are 
temporarily stored in the cryptographic facility 810. 
Using the just read value of Ci, the "operation 
allowed" procedure 820 determines whether the 
usage of data key K in the requested operation is 
authorized or granted on the basis of data in the 
control value Ci. If so, then the "operation allowed" 
procedure 820 produces an activate key recovery 
function on line 825, which enables the key recov- 
ery function 830. If not, then the "operation al- 
lowed" procedure 820 produces an activate abort 
operation on line 826. Once enabled, the abort 
operation 827 erases the inputs read from input 
port 845 and temporarily stored in the crypto- 
graphic facility 810 and enables another requested 
operation via command port 840. Once enabled, 
the key recovery function 830 will accept inputs f6- 
(KRij.Ci.PVi.K), Ci and eKM' (KRij), which have 
been temporarily stored in cryptographic facility 
810. 

The inputs are processed as follows. The value 
eKM'(KRij) is decrypted at 831 under master key 
variant KM'. KM' is a dynamically generated variant 
of the master key, KM, where KM is stored in the 



key and parameter storage of the cryptographic 
facility 810, as shown in Figure 2, and is available 
for use by the key recovery function 830. The 
decrypted output KRij, the input value Ci, the value 

s PVi, and the input value f6(KRi,j,Ci,PVi,K) are pro- 
cessed via combining function gg at 832 to pro- 
duce output data key K. The public value PVi 
associated with using station i is stored in the key 
and parameter storage of the cryptographic facility 

to 810, as shown in Figure 2, and is available for use 
by the key recovery function 830. The successful 
completion of the combining function g$ also raises 
an activate operation on line 829, which enables 
the microcode that performs the requested opera- 

75 tion. Once enabled, the microcode 880 to perform 
the requested operation will accept input to re- 
quested operation on line 881 via input port 845 
and the so-produced data key K on line 882, which 
is the output from combining function Qs at 832. 

20 The requested operation is then performed at 880 
using these key and data inputs. The output of the 
requested operation 880 is then presented at out- 
put port 850 and appears on line 883. 

At a using station we have shown the recovery 

25 and controlled use of a single data key. However, 
the invention could be enlarged to provide for the 
simultaneous recovery and controlled use of any 
number of any type of keys at each using station. 
The public values PV1...PVn could be the IDs or 

30 functions of the IDs of the respective using sta- 
tions, in which case the two data bases would be 
combined. The public values could also be public 
keys in an RSA algorithm type system or could 
simply be random numbers. The control value 

35 may, under certain protocols, reside at the using 
station so that it would not be necessary to trans- 
mit the control value to the designated using sta- 
tions. For example, a using station may send with 
its request for a cryptographic key from the gen- 

40 erating station an appropriate or specified control 
value. 

Figure 26 illustrates but one possible control 
vector which may be used. The control vector may 
be viewed as a bit map of one dimension which 

45 represents the control value used in any of the 
several embodiments of the invention described 
above. From left to right in Figure 26, the first and 
second bits may be ones or zeros to control wheth- 
er the cryptographic key can be used to encipher 

so or decipher or both encipher and decipher data. 
Following the first two bits is an initial chaining 
value (ICV) which, under the DES algorithm, con- 
trols the mode of block chaining used in the pro- 
cess. The values for the ICV are shown in Figure 

55 26 and they are mutually exclusive. Next, are two 
bits which control whether the cryptographic key 
can be used for message authentication code gen- 
eration (MACGEN) or verification (MACVER). Fol- 
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lowing that is an ICV for the message authentica- 
tion code. Next are two bits which control the 
translation of cipher text to or from another form. 
This is followed by an ICV for the translation of 
cipher text. Finally, there are two bits which control 5 
the translation of a personal identification number 
(PIN). 

To summarize, the sender, by specifying how a 
particular key should be handled at the receiver, 
via the control block C, determines key manage- w 
ment operations at the receiver. Consequently, ex- 
posures at the receiver are minimized, provided 
that the integrity of the cryptographic operations 
are assured, e.g., via a cryptographic facility. 

75 

Claims 

1. A method of controlling the use of securely 
transmitted information in a network of stations 

in which each potentially cooperating station 20 
includes a cryptographic facility (110) which 
securely stores a master key (KM) and in 
which, for each transmission between a pair of 
stations, a cryptographic key result is provided 
for each station of the pair by a generating 25 
station which is either one of the pair or a 
station external to the pair under a crypto- 
graphic protocol common to the networks, the 
cryptographic key results for the transmission 
having a random component notional ly particu- 30 
lar to the transmission, a master key variant 
component either particular to the stations in- 
dividually or as a pair, characterised in that in 
response to a generating command (170) in- 
voked in the generating station for establishing 35 
a controlled use secure transmission between 
a designated pair of stations, the generating 
station generates the cryptographic key result 
for each designated station, accesses the con- 
trol value (C) common to the system for the 40 
permitted operation for each of the stations for 
the particular transmission, combined the con- 
trol value (C) with the common key result or 
each individual key result and causes the ap- 
propriate combined key result to be estab- 45 
lished in each station of the pair for the trans- 
mission, and wherein the cryptographic facility 
(110) in each station is arranged, when an 
operating command is invoked to perform a 
designated operation with respect to such se- so 
curely transmitted information, to automatically 
abort such operation unless it matches the 
control value. 

2. A method as claimed in claim 1 , wherein either 55 
each station has both a key generation function 
(KGF) and a key usage function (KUF), the 
combined key result being generated by the 



key generation function of one of a pair of 
stations and transmitted to its own key usage 
function and to the key usage function of the 
other station; or a server station for the network 
has a key generation function for the network, 
the remaining user stations having key usage 
functions and the combined key result is gen- 
erated in the server station and is transmitted 
to the key usage functional of a designated 
pair of stations. 

3, A method as claimed in claim 2, wherein each 
station stores a data base (100) included a 
plurality of encrypted secret transport keys 
unique to each using station and indexed by 
identifications of the using stations, the encryp- 
ted secret transport keys being encrypted un- 
der a variant of the master key; 

the server station of any such station in 
response to a generating command, generating 
a random key (K) in its cryptographic facility 
(110) as a cryptographic key; 

accessing the encrypted secret transport 
keys (KR) for the designated using stations 
using the identification for the using stations; 

decrypting in the cryptographic facility of 
the generating station the accessed secret 
transport keys (KR) for the designated using 
stations using the variant of the master key; 

combining in the cryptographic facility of 
the generating station the decrypted secret 
transport keys (KR) with generated crypto- 
graphic key (K) to produce a combined func- 
tion fi for each designated using station; 

reading the control value (C) for the per- 
mitted operation for each designated using sta- 
tion; 

combining the generated cryptographic 
key (K) with the control value (C) for each 
designated using station to produce a com- 
bined function h\ and 

transmitting the combined functions fi and 
f2 for each designated using station and the 
control value to the corresponding designated 
using station. 

4. A method as claimed in claim 3, wherein the 
combining operation to produce the combined 
function fi is performed by encrypting the gen- 
erated cryptographic key (K) under the decryp- 
ted secret transport keys (KR) for each des- 
ignated using station, and wherein the combin- 
ing operation to produce the combined func- 
tion h is performed by first encrypting the 
control values (C) for each designated using 
station under the generated cryptographic key 
(K) and then exclusive ORing the thus encryp- 
ted control values with the control values for 
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each designated using station. 

5. A method as claimed in claim 3 or claim 4, 
comprising at a designated using station in 
response to the requesting of a cryptographic 5 
operation requiring the use of the cryptograph- 
ic key generated by the generating station in 
combination with a control value; 

accessing the encrypted secret transport 
key and temporarily storing in the local cryp- 10 
tographic facility (310), such encrypted secret 
transport key together with the control value 
(C) and the combined functions fi and h, 

checking, in the local cryptographic facili- 
ty, the control value to determine if the re- 75 
quested operation is allowed by such control 
value; 

if the requested operation is allowed, de- 
crypting the encrypted secrete transport key 
using a variant of said master key, combining 20 
the decrypted secrete transport key (KR) with 
the combined function fi using a combining 
function gi to recover the generated cryp- 
tographic key (K), combining the recovered 
cryptographic key (K) with the control value 25 
(C) to produce an authentication function f2, 
comparing the temporarily stored combined 
function f2, and if the stored combined function 
f2 and the authenticating function f2 are equal, 
enabling the requested cryptographic opera- 30 
tion; otherwise, 

aborting the requested cryptographic op- 
eration and erasing the values temporarily 
stored in the cryptographic facility of the using 
station. 35 

6. A method as claimed in claim 5 wherein the 
combining function gi is an inverse function of 
the function fi . 

40 

7. A method as claimed in claim 2 wherein each 
station stores, in a first data base (200), a 
plurality of encrypted secrete transport keys 
unique to each pair of using stations in the 
network and indexed by identifications of pairs 45 
of using stations sharing a secret transport key 
(KR), the encrypted secret transport keys be- 
ing encrypted under a variant (KM 1 ) of the 
master key (KM), and in a second data base 
(205), a plurality of nonsecret values (PV) 50 
unique to each using station in the network and 
indexed by identifications of such using sta- 
tions; 

the server station or each such station, in 
response to a generating command, generating 55 
a random number (RN) in its cryptographic 
facility; 

accessing the encrypted secret transport 



keys shared by designated using stations us- 
ing the identifications for the using station pairs 
sharing the encrypted secret transport keys; 

accessing the nonsecret values for the 
designated using stations using the identifica- 
tions for the designated using stations; 

decrypting the accessed secret transport 
keys using the variant of the master key; 

combining the generated random number 
with the decrypted secret transport keys to 
produce a combined function f3 for each of the 
designated using stations; 

combining the decrypted secret transport 
key with said combined function f3 to generate 
the cryptographic key; 

reading he control value for the permitted 
operation for each designated using station; 

for each designated using station, combin- 
ing the generated cryptographic key with the 
control value and the nonsecret value for the 
designated using station to produce a com- 
bined function f* for the designated using sta- 
tion; and 

transmitting the combined function fa and 
U for each designated using station and the 
control value to the corresponding designated 
using station. 

fi. A method as claimed in claim 7, wherein the 
combining to produce the combined function f3 
is performed by encrypting the random num- 
ber (RN) under the decrypted secret transport 
key for each designated using station. 

9. A method as claimed in claim 7 or claim 8 
wherein the combining to produce the com- 
bined function U is performed by first encryp- 
ting the control values (C) under the generated 
cryptographic key (K) and then exclusive OR- 
ing the thus encrypted control values with the 
nonsecret values for each designated using 
station. 

10. A method as claimed in any of claims 7 to 9 
further comprising, at a designated using sta- 
tion in response to the requesting of a cryp- 
tographic operation requiring the use of the 
cryptographic key generated by the generating 
station in combination with a control v value; 

accessing the encrypted secrete transport 
key (KR) and temporarily storing in the local 
cryptographic facility (410) the encrypted se- 
cret transport key together with the control 
value (C) and the combined functions fa and fi 
transmitted from the generating station; 

checking the control value to determine if 
the requested operation is allowed by a such 
control value; 
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if the requested operation is allowed, de- 
crypting the stored encrypted secret transport 
key sing a variant (KM 1 ) of the master key 
(KM), combining the decrypted secret trans- 
port key with the combined function fa using a s 
combining function ga to recover the generated 
cryptographic key, combining the recovered 
cryptographic key (K) with the control value (C) 
and the nonsecret value for the designated 
using station to produce an authentication io 
function U, comparing the temporarily stored 
combined function U with, the authenticating 
function f4, and if such stored combined func- 
tion f4 and authenticating function f* are equal, 
enabling the requested cryptographic opera- 75 
tion; otherwise, 

aborting the requested cryptographic op- 
eration and erasing the temporarily stored val- 
ues. 

20 

11. A method as claimed in claim 10 wherein the 
combining to produce the combined function fa 
is performed by making the combined function 
f3 equal to the random number (RN) and 
wherein the combining function g3 involves 25 
encrypting the random number (RN) under the 
decrypted secret transport key (KR) and then 
exclusive ORing the encrypted random num- 
ber with the random number. 

30 

12. A method as claimed in claim 10 wherein the 
combining function g3 is an inverse function of 
the function f3 . 

13. A method as claimed in claim 2, wherein each 35 
station stores a data base (500) including a 
plurality of encrypted secret transport keys 
(KR) unique to each of the using stations and 
indexed by identifications of the using stations, 

the encrypted secret transport keys (KR) being 40 
encrypted under a variant (KM 1 ) of the master 
key (KM); 

the server station or each such station in 
response to a generating command, generating 
a random number in its cryptographic facility 45 
as a cryptographic key (K); 

accessing the encrypted secret transport 
keys for the designated using stations using 
the identification for such using stations; 

decrypting the accessed secret transport so 
keys for the designated using stations using 
the variant (KM 1 ) of the master key (KM); 

reading the control value (C) for the per- 
mitted operation for each designated using sta- 
tion; 55 

combining the decrypted secret transport 
keys (KR) with the generated cryptographic 
key (K) and the control values (C) for each 



designated using station to produce combined 
function fs for each designated using station; 
and 

transmitting the combined function fs for 
each designated using station and the control 
value (C) to the corresponding designated us- 
ing station. 

14. A method as claimed in claim 13 wherein the 
combining operation to produce the combined 
function fs for each designated using station is 
performed by encrypting the generated cryp- 
tographic key (K) under the control value (C) 
for the corresponding designated using station 
to produce a first encrypted value and then 
encrypting such first encrypted value under the 
decrypted secret transport key for the cor- 
responding designated using station. 

15. A method as claimed in claim 13 or claim 14, 
further comprising at a designated using sta- 
tion, in response to the requesting of a cryp- 
tographic operation requiring the use of the 
cryptographic key(K) generated by the gen- 
erating station in combination with a control 
value; 

accessing the encrypted secret transport 
key and temporarily storing in the cryptograph- 
ic facility (710) of the designated using station 
the encrypted secret transport key (KR) to- 
gether with the control value (C) and the com- 
bined function fs; 

checking the control value (C) to deter- 
mine if the requested operation if allowed by 
said control value; 

if the requested operation is allowed, de- 
crypting the said encrypted secret transport 
key (KR) using a variant (KM 1 ) of the master 
key (KM), combining the decrypted secret 
transport key with the combined function fs 
and the control value using a combining func- 
tion gs to recover the generated cryptographic 
key, and enabling the requested cryptographic 
operation; otherwise, 

aborting the requested cryptographic op- 
eration and erasing the temporarily stored val- 
ues. 

16. A method as claimed in claim 15 wherein the 
combining function gs is an inverse function of 
the function f 5 . 

17. A method as claimed in claim 2, wherein each 
station stores, in a first data base (600), a 
plurality of encrypted secret transport keys 
(KR) unique to each pair of using stations in 
the network and indexed by identifications of 
pairs of using stations sharing a secret trans- 
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port key, the encrypted secret transport keys 
being encrypted under a variant (KM 1 ) of the 
master key (KM), and 

in a second data base (605), a plurality of 
nonsecret values (PV) unique to each using s 
station in the network and indexed by iden- 
tifications of the using stations; 

the server station or each such station, in 
response to a generating command, generating 
a random number in its cryptographic facility w 
as a cryptographic key (K); 

accessing the encrypted secret transport 
keys (KR) shared by designated using stations 
using the identifications for the using station 
pairs sharing the encrypted secret transport is 
keys; 

accessing the nonsecret values (PV) for 
the designated using stations using the iden- 
tifications for such designated using stations; 

decrypting the accessed secret transport 20 
keys using the variant (KM 1 ) of the master key 
(KM); 

reading the control value (C) for the per- 
mitted operation for each designated using sta- 
tion; 25 

combining the generated cryptographic 
key (K) with the decrypted secret transport key 
(KR), control value (C) and nonsecret value 
(PV) for each designated using station to pro- 
duce a combined function fe for each des- 30 
ignated using station; and 

transmitting the combined function fs for 
each designated using station and the control 
value (C) to the corresponding designated us- 
ing station. 35 

18. A method as claimed in claim 17 wherein the 
combining operation to produce the combined 
function k is performed by encrypting the 
cryptographic key (K) under the control value 40 
(C) for the designated using station to produce 

a fist encrypted value, encrypting the first en- 
crypted value under the nonsecret value (PV) 
for the designated using station to produce a 
second encrypted value, and encrypting the 45 
second encrypted value under the decrypted 
secret transport key for the designated using 
station. 

19. A method as claimed in claim 17 or claim 18, so 
further comprising at a designated using sta- 
tion in response to the requesting of a cryp- 
tographic operation requiring the use of the 
cryptographic key (K) generated by the gen- 
erating station in combination with a control 55 
value (C); 

accessing the encrypted secret transport 
key (KR) .and the nonsecret value (PV) and 



temporarily storing in the cryptographic facility 
(810) of the designated using station the trans- 
mitted encrypted secret transport key (KR) to- 
gether with the control value (C) and the com- 
bined function f6; 

checking the control value (C) to deter- 
mine rf the requested operation is allowed by 
such control value; 

if the requested operation is allowed, de- 
crypting the stored encrypted secret transport 
key (KR) using a variant (KM 1 ) of the master 
key (KM), combining the decrypted secret 
transport key (KR) with the control value (C), 
the nonsecret value (PV) and the combine 
function U using a combining function g& to 
recover the generated cryptographic key (K), 
and enabling the requested cryptographic op- 
eration; otherwise, 

aborting the requested cryptographic op- 
eration and erasing the temporarily stored val- 
ues. 

20. A method as claimed in claim 18, wherein the 
combining function g6 is an inverse function of 
the function of f6 . 

Patentanspruche 

1. Die Vorliegende Erfindung sieht eine Methode 
zur Steuerung der Anwendung von sicher 
ubertragener Information in einem Netzwerk 
von Stationen vor, in der jede potentiell koope- 
rierende Stelle eine VerschlUsselungseinrich- 
tung (110) enthalt, die einen Hauptschtussel 
(KM) sicher speichert und in der, fur jede 
Ubertragung zwischen einem Paar von Statio- 
nen, ein kryptographisches SchlQsselergebnis 
fUr jede Station des Paares von einer Erzeu- 
gungsstelle geliefert wird, welche entweder 
eine von dem Paar oder eine externe Station 
zu dem Paar gemaB eines VerschlUsselungs- 
protokolls gemeinsam fur die Netzwerke ist, 
die kryptographischen SchlUsselergebnisse fUr 
die Ubertragung eine Zufalfskomponente ha- 
ben, welche nur fur die Ubertragung existiert, 
eine Komponentenvariante des Hauptschlus- 
sels entweder besonders fur die einzelnen 
Stellen oder fur ein Paar ist, dadurch gekenn- 
zeichnet, daB als Reaktion auf ein in der Er- 
zeugungsstelle (170) zur Herstellung einer ge- 
steuerten Anwendung aufgerufener Erzeu- 
gungsbefehl, die Ubertragung zwischen einem 
bestimmten Paar von Stationen sichert, die Er- 
zeugungsstelle die kryptographischen SchlUs- 
selergebnisse fur jede bestimmte Stelle er- 
zeugt, den fOr das System gemeinsamen Steu- 
erwert (C) fOr den zugelassenen Vorgang fOr 
jede der Stationen fGr jede besondere Obertra- 
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gung zuganglich macht, den Steuerwert (C) 
mit dem gemeinsamen Schlusselergebnis Oder 
fur jedes einzelne Schlusselergebnis kombi- 
niert und veranlafit, das passende, kombinierte 
Schlusselergebnis in jeder Station des Paares 5 
fur die Ubertragung zu erstellen und wobei die 
VerschlUsselungseinrichtung (110) in jeder Sta- 
tion angepaOt wird, wenn ein Bedienerbefehf 
aufgerufen wird, urn einen bestimmten Vor- 
gang unter BerOcksichtigung der sicher Uber- ;o 
tragenen Information durchzufOhren, automa- 
tisch den Vorgang abzubrechen, wenn der 
Steuerwert nicht pafit. 

2. Eine Methode wie in Anspruch 1, wobei jede 75 
der Stationen sowohl eine SchlUsselerzeu- 
gungsfunktion (KGF) als auch eine SchlUssel- 
benutzerfunktion (KUF) hat, das kombinierte 
SchlGsseiergebnis von der SchlUsselerzeu- 
gungsfunktion von einer von einem Paar von 20 
Stationen erzeugt und an ihre eigene SchlUs- 
selbenutzerfunktion und an die SchlOsselbenut- 
zerfunktion der anderen Station gesendet wird; 
oder eine Bedienerstation fur das Netzwerk hat 
eine Schlusselerzeugungsfunktion fur das 25 
Netzwerk, die verbleibenden Benutzerstellen 

mit SchlUsselbenutzerfunktionen und dem 
kombinierten Schlusselergebnis in der Bedie- 
nerstation erzeugt werden und an die Schlus- 
selbenutzerfunktion eines bestimmten Paares 30 
von Stationen gesendet werden. 

3. Eine Methode wie in Anspruch 2 t wobei jede 
S telle eine Datenbasis (100) speichert, die eine 
Vielzahl von verschlusselten, geheimen Trans- 35 
portschlUsseln enthalt, die fur jede Benutzer- 
stelle einzigartig und durch Identifikationen der 
Benutzerstellen indexiert werden, die ver- 
schlusselten geheimen Transportschlussel 
nach einer Variante des Hauptschlussels ver- 40 
schlUsselt werden; 

die Bedienerstelle von jeder der Stationen als 
Reaktion auf einen Erzeugungsbefehl einen 
ZufallsschlUssel (K) in ihrer Verschlusselungs- 
einrichtung (110) als einen GeheimUbertra- -#5 
gungsschlussel erzeugt; 
Zugriff auf die verschlusselten. geheimen 
Transportschlussel (KR) fur die bestimmten 
Benutzerstellen unter Verwendung der Identifi- 
kation fur die Benutzerstellen; so 
Entschlusseln in der Verschlusselungseinrich- 
tung der Erzeugungsstelle der zugegriffenen 
geheimen Transportschlussel (KR) fur die be- 
stimmten Benutzerstellen unter Verwendung 
der Variante des Hauptschlussels; 55 
die entschlusselten geheimen TransportschlUs- 
sel (KR) mit dem erzeugten GeheimUbertra- 
gungsschlUssel (K) in der Verschlusselungsein- 



richtung der Erzeugungsstelle zu kombinieren, 
urn eine kombinierte Funktion ft fur jede der 
bestimmten Benutzerstellen zu erzeugen; 
den Steuerwert (C) fur die freigegebene Ope- 
ration fur jede bestimmte Benutzerstelle zu 
lesen; 

den erzeugten GeheimUbertragungsschlUssel 
(K) mit dem Steuerwert (C) fUr jede bestimmte 
Benutzerstelle zu kombinieren, urn eine kombi- 
nierte Funktion h zu erzeugen; und 
die kombinierten Funktionen fi und h fur jede 
bestimmte Benutzerstelle und den Steuerwert 
an die entsprechend bestimmte Benutzerstelle 
zu senden. 

4. Eine Methode wie in Anspruch 3, wobei die 
Kombinationsoperation zur Erzeugung der 
kombinierten Funktion fi durch VerschlUsseln 
des erzeugten GeheimUbertragungsschlUssels 
(K) nach den entschlusselten, geheimen Trans- 
portschlusseln fUr jede bestimmte Benutzer- 
stelle durchgefOhrt wird und wobei die Kombi- 
nationsoperation zur Erzeugung der kombinier- 
ten Funktion h durchgefOhrt wird, indem zuerst 
der Steuerwert (C) fur jede bestimmte Benut- 
zerstelle unter dem erzeugten GeheimObertra- 
gungsschlussel (K) verschlusselt wird und 
dann die so verschlusselten Steuerwerte fur 
jede bestimmte Benutzerstelle Exklusiv-ODER- 
zu verknupfen. 

5. Eine Methode wie in Anspruch 3 Oder 4 enthal- 
tend in einer bestimmten Benutzerstelle als 
Reaktion auf die Forderung einer GeheimOber- 
tragungsoperation, die die Anwendung des von 
der Erzeugungsstelle erzeugten GeheimUber- 
tragungsschlUssels in Kombination mit einem 
Steuerwert fordert; 

Zugriff auf den verschlusselten Transport- 
schlussel und vorUbergehende Speicherung in 
der ortlichen VerschlUsselungseinrichtung 
(310) des verschlusselten TransportschlUssels 
zusammen mit dem Steuerwert (C) und den 
kombinierten Funktionen fi und i2\ 
PrUfung in der ortlichen VerschlUsselungsein- 
richtung des Steuerwerts, urn festzulegen, ob 
die geforderte Operation von dem Steuerwert 
zugelassen wird; 

falls die geforderte Operation zugelassen wird, 
entschlUsseln des verschlusselten, geheimen 
TransportschlUssels unter Verwendung einer 
Variante des Hauptschlussels, der den ent- 
schlusselten geheimen Transportschlussel 
(KR) mit der kombinierten Funktion fi kombi- 
niert unter Verwendung einer Kombinationfunk- 
tion gi zur Wiederherstellung des erzeugten 
GeheimUbertragungsschlUssels (K), der den 
wiederhergestellten GeheimUbertragungs- 
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schlUssel (K) mit dem Steuerwert (C) kombi- 
niert, urn eine Bestatigungsfunktion f2 zu er- 
zeugen, zum Vergleich der vorQbergehend ge- 
speicherten Funktion f2, und falls die gespei- 
cherte, kombinierte Funktion f2 und die Besta- s 
tigungsfunktion h gleich sind, aktivieren der 
geforderten GeheimObertragungsfunktion; an- 
dernfalls 

Abbruch der geforderten GeheimObertragungs- 
funktion und Loschen der vorQbergehend in w 
der VerschlUsselungseinrichtung der Benutzer- 
stelle gespeicherten Werte. 

6. Eine Methode wie in Anspruch 5, wobei die 
Kombinationsfunktion gi eine umgekehrte 75 
Funktion der Funktion f 1 ist. 

7. Eine Methode wie in Anspruch 2, wobei jede 
Stelle in einer ersten Datenbasis (200) eine 
Vielzahl von verschlCisselten, geheimen Trans- 20 
portschlUsseln speichert, die fur jedes Paar der 
Benutzerstellen in dem Netzwerk einzigartig 

sind und die durch Identifikationen der Paare 
von den Benutzerstellen indexiert werden, die 
sich einen geheimen TransportschlUssel (KR) 25 
teilen, die verschlusselten geheimen Trans- 
portschlUssel werden unter einer Variante 
(KM 1 ) des HauptschlGssels (KM) verschlUsselt 
und in einer zweiten Datenbasis (205) werden 
eine Vielzahl von nicht geheimen Werten (PV), 30 
die fur jede der Benutzerstellen in dem Netz- 
werk einzigartig sind und durch Identifikationen 
der Benutzerstellen indexiert; 
die Bedienerstelle oder jede der Stationen als 
Reaktion auf einen Erzeugungsbefehl eine Zu- 35 
fallszahl (RN) in ihrer VerschlUsselungseinrich- 
tung erzeugt; 

Zugriff auf die verschlUsselten, geheimen 
TransportschlGssei, die durch bestimmte Be- 
nutzerstellen geteilt werden unter Verwendung aq 
der Identifikationen der Paare der Benutzerstel- 
len, die sich die verschlusselten geheimen 
TransportschlUssel teilen; 
Zugriff auf die nicht geheimen Werten fUr die 
bestimmten Benutzerstellen unter Verwendung 45 
der Identifikationen fUr die bestimmten Benut- 
zerstellen; 

Entschlussein der zugegriffenen, geheimen 
TransportschlUssel unter Verwendung der Vari- 
ante des Hauptschlussels; 50 
Kombinieren der erzeugten Zufallszahl mit den 
entschlUsselten, geheimen TransportschlUs- 
seln, urn eine kombinierte Funktion fa fur jede 
der bestimmten Benutzerstellen zu erzeugen; 
Kombinieren des entschlUsselten geheimen 55 
TransportschlUssels mit der kombinierten 
Funktion f3, urn den GeheimUbertragungs- 
schlUssel zu erzeugen; 



den Steuerwert fur die genehmigte Operation 
fur jede bestimmte Benutzerstelle zu lesen; 
fUr jede bestimmte Benutzerstelle den erzeug- 
ten GeheimUbertragungsschlOssel mit dem 
Steuerwert und den nicht geheimen Wert fur 
die bestimmte Benutzerstelle kombinieren, urn 
eine kombinierte Funktion U fur die bestimmte 
Benutzerstelle zu erzeugen; und 
die kombinierte Funktion f3 und f4 fUr jede 
bestimmte Benutzerstelle und den Steuerwert 
an die entsprechend bestimmte Benutzerstelle 
zu senden. 

a Eine Methode wie in Anspruch 7, wobei die 
Kombination zur Erzeugung der kombinierten 
Funktion h durch Verschlusselung der Zufalls- 
zahl (RN) unter dem entschlUsselten. gehei- 
men TransportschlUssel fur jede bestimmte 
Benutzerstelle durchgefUhrt wird. 

9. Eine Methode wie in Anspruch 7 oder 8 wobei 
die Kombination zur Erzeugung der kombinier- 
ten Funktion f4 durchgefUhrt wird, indem zuerst 
der Steuerwert (C) nach dem erzeugten Ge- 
heimUbertragungsschlUssel (K) verschlUsselt 
wird und die so verschlUsselten Steuerwerte 
mit den nicht geheimen Werten fUr jede be- 
stimmte Benutzerstelle Exklusiv-ODER-ver- 
knupft werden. 

10. Eine Methode wie in einem der Anspruche 7 
bis 9 auBerdem mit einer bestimmten Benut- 
zerstelle als Reaktion auf die Anforderung nach 
einer VerschlUsselungsoperation, die die An- 
wendung des von der Erzeugungsstelle in 
Kombination mit einem Steuervektorwert v er- 
zeugten GeheimUbertragungsschlUssels for- 
dert; 

Zugriff auf den verschlusselten, geheimen 
TransportschlUssel (KR) und vorubergehende 
Speicherung in der ortlichen VerschlUssel- 
ungseinrichtung (410) des verschlusselten ge- 
heimen TransportschlUssels zusammen mit 
dem Steuerwert (C) und den kombinierten 
Funktionen f3 und U , die von der Erzeugungs- 
stelle gesendet werden; 
PrUfen des Steuerwertes, um festzulegen, ob 
die geforderte Operation von einem der Steu- 
erwerte genehmigt wird; 
falls die geforderte Operation zugelassen wird, 
entschlussein des verschlUsselten Transport- 
schlUssels unter Verwendung einer Variante 
(KM 1 ) des HauptschlUssels KM, der den ent- 
schlUsselten, geheimen TransportschlUssel 
(KR) mit der kombinierten Funktion h kombi- 
niert unter Verwendung einer Kombinations- 
funktion g3 zur Wiederherstellung des erzeug- 
ten GeheimUbertragungsschlUssels, der den 



24 



47 



EP 0 292 790 B1 



48 



gungsschlOssel (K) und dem Steuerwert (C) fOr 
jede bestimmte Benutzerstelle zu kombinieren, 
urn eine kombinierte Funktion f 5 fur jede der 
bestimmten Benutzerstellen zu erzeugen; und 
5 die kombinierte Funktion fs fOr jede bestimmte 

Benutzerstelle und den Steuerwert (C) an die 
entsprechend bestimmte Benutzerstelle zu 
senden. 

w 14. Eine Methode wie in Anspruch 13. wobei die 
Kombinationsoperation zur Erzeugung der 
kombinierten Funktion fs fur jede bestimmte 
Benutzerstelle durch VerschiOsseln des er- 
zeugten GeheimUbertragungsschlQssels (K) 
is unter dem Steuervert (C) fur die entsprechend 

bestimmte Benutzerstelle durchgefuhrt wird, 
um einen ersten verschlusselten Wert zu er- 
zeugen und dann den zuerst verschlOsseften 
Wert unter dem entschlOsselten geheimen 
20 TransportschlOssel fOr die entsprechend be- 

stimmte Benutzerstelle zu verschlOsseln. 



wiederhergestellten GeheimObertragungs- 
schlOssel (K) mit dem Steuerwert (C) und dem 
nicht geheimen Wert fOr die bestimmte Benut- 
zerstelle kombiniert, um eine Bestatigungs- 
funktion U zu erzeugen, zum Vergleich der 
vorUbergehend gespeicherten Funktion U mit 
der Bestatigungsfunktion U und falls die ge- 
speicherte, kombinierte Funktion und die 
Bestatigungsfunktion U gleich sind, aktivieren 
der geforderten GeheimGbertragungsfunktion; 
andernfalls 

Abbruch der geforderten GeheimObertragungs- 
funktion und Ldschen der vorUbergehend in 
der VerschlOsselungseinrichtung der Benutzer- 
stelle gespeicherten Werte. 

11. Eine Methode wie in Anspruch 10. wobei die 
^Combination zur Erzeugung der kombinierten 
Funktion f3 durchgefOhrt wird, indem die kom- 
binierte Funktion fa gleich mit der Zufallszahl 
(RN) ist und wobei die Kombinationsfunktion 
g3 das VerschlUsseln der Zufallszahl (RN) 
nach dem Entschlusseln des geheimen Trans- 
portschlOssels (KR) durchfOhrt und dann die 
entschlOsselte Zufallszahl mit der Zufallszahl 25 
Exklusiv-ODER-verknOpft. 

12. Eine Methode wie in Anspruch 10, wobei die 
Kombinationsfunktion g3 eine umgekehrte 
Funktion von Funktion f3 ist. 30 

13. Eine Methode wie in Anspruch 2, wobei jede 
Stelle eine Datenbasis (500) speichert, die eine 
Vietzahl von verschlGsselten, geheimen Trans- 
portschlusseln (KR) enthSIt, die fur jede Benut- 35 
zerstelle einzigartig und durch Identifikationen 

der Benutzerstellen indexiert werden, die ver- 
schltisselten geheimen Transportschlussel 
(KR) nach einer Variante des HauptschlOssels 
verschlOsselt werden; 40 
die Bedienerstelle von jeder der Stationen als 
Reaktion auf einen Erzeugungsbefehl eine Zu- 
fallszahl in ihrer VerschlOsselungseinrichtung 
als einen GeheimObertragungsschlOssel er- 
zeugt (K); 45 
Zugriff auf die verschlusselten, geheimen 
Transportschlussel fur die bestimmten Benut- 
zerstellen unter Verwendung der Identifikation 
fOr die Benutzerstellen; 

Entschlusseln der zugegriffenen, geheimen 50 
Transportschlussel fur die bestimmten Benut- 
zerstellen unter Verwendung der Variante 
(KM 1 ) des HauptschlOssels (KM); 
den Steuerwert (C) fur die freigegebene Ope- 
ration fur jede bestimmte Benutzerstelle zu 55 
lesen; 

die entschlOsselten geheimen TransportschlOs- 
sel (KR) mit dem erzeugten GeheimObertra- 



15- Eine Methode wie in Anspruch 13 Oder 14 
auBerdem enthaltend in einer bestimmten Be- 
nutzerstelle als Reaktion auf die Forderung ei- 
ner Geheimubertragungsoperation, die die An- 
wendung des von der Erzeugungsstelle er- 
zeugten GeheimUbertragungsschlUssel (K) in 
Kombination mit einem Steuerwert fordert; 
mit Zugriff auf den verschlusselten, geheimen 
Transportschlussel und vorObergehender Spei- 
cherung in der ortiichen VerschlOsselungsein- 
richtung (710) der bestimmten Benutzerstelle 
des verschlusselten Transportschlussels (KR) 
zusammen mit dem Steuervert (C) und der 
kombinierten Funktion fs ; 
PrOfung des Steuerwerts (C), um festzulegen, 
ob die geforderte Operation von dem Steuer- 
wert zugelassen wird; 

falls die geforderte Operation zugelassen wird, 
entschlusseln des verschlusselten, geheimen 
Transportschlussels (KR) unter Verwendung ei- 
ner Variante (KM 1 ) des HauptschlOssels (KM), 
der den entschlOsselten, geheimen Transport- 
schlussel mit der kombinierten Funktion fs und 
dem Steuerwert kombiniert unter Verwendung 
einer Kombinationsfunktion gs zur Wiederher- 
stellung des erzeugten GeheimObertragungs- 
schlOssels und Aktivieren der geforderten Ge- 
heimObertragungsfunktion; andernfalls 
Abbruch der geforderten GeheimObertragungs- 
funktion und Loschen der vorObergehend ge- 
speicherten Werte. 

16. Eine Methode wie in Anspruch 15, wobei die 
Kombinationsfunktion gs eine umgekehrte 
Funktion der Funktion fs ist. 
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17. Ene Methode wie in Anspruch 2, wobei jede 
Stelle in einer ersten Datenbasis (600) eine 
Vielzahl von verschlOsselten, geheimen Trans- 
portschlGsseln (KR) speichert, die fOr jedes 
Paar der Benutzerstellen in dem Netzwerk ein- s 
zigartig sind und die durch Identifikationen der 
Paare von den Benutzerstellen indexiert wer- 
den, die sich einen geheimen TransportschlGs- 

sel teilen, die verschlOsselten, geheimen 
Transportschlussel nach einer Variante (KM 1 ) 10 
des Hauptschlussels (KM) verschlOsselt wer- 
den und 

in einer zweiten Datenbasis (605) eine Vielzahl 
von nicht geheimen Werten (PV) fOr jede der 
Benutzerstellen in dem Netzwerk einzigartig is 
sind und durch Identifikationen der Benutzer- 
stellen indexiert werden; 
die Bedienerstelle Oder jede der Stationen als 
Reaktion auf einen Erzeugungsbefehl, eine Zu- 
fallszahl in ihrer Verschlusselungseinrichtung 20 
als GeheimQbertragungsschlGssel (K) erzeugt; 
der Zugriff zu verschlOsselten, geheimen 
Transportschlusseln (KR) durch bestimmte Be- 
nutzerstellen geteilt wird unter Verwendung der 
Identifikationen fur die Paare der Benutzerstel- 25 
len, die sich die verschlOsselten geheimen 
Transportschlussel teilen; 
auf die nicht geheimen Werten (PV) fOr die 
bestimmten Benutzerstellen unter Verwendung 
der Identifikationen fur die bestimmten Benut- 30 
zerstellen zuzugreifen; 

der zugegriffene, geheime Transportschlussel 

unter Verwendung der Variante (KM 1 ) des 

Hauptschlussels (KM) entschlusselt wird; 

der Steuervert (C) fur die genehmigte Opera- 35 

tion fur jede bestimmte Benutzerstelle gelesen 

wird; 

der erzeugte GeheimObertragungsschlOssel (K) 
mit dem entschlusselten, geheimen Transport- 
schlOssel (KR), dem Steuerwert (C) und dem 40 
nicht geheime Wert (PV) fur jede bestimmte 
Benutzerstelle kombiniert wird, urn eine kombi- 
nierte Funktion fe fOr die bestimmte Benutzer- 
stelle zu erzeugen; und 

die kombinierte Funktion k fur jede bestimmte 45 
Benutzerstelle und den Steuerwert (C) an die 
entsprechend bestimmte Benutzerstelle zu 
senden. 

18. Eine Methode wie in Anspruch 17, wobei die so 
Kombinationsoperation zur Erzeugung der 
kombinierten Funktion h durchgefOhrt wird, in- 
dem der GeheimObertragungsschlOssel (K) un- 
ter dem Steuerwert (C) fOr die bestimmte Be- 
nutzerstelle verschlOsselt wird, urn einen er- 55 
sten verschlOsselten Wert zu erzeugen, der 

den ersten verschlOsselten Wert unter dem 
nicht geheimen Wert (PV) fOr die bestimmte 



Benutzerstelle verschlOsselt, urn einen zweiten 
verschlOsselten Wert zu erzeugen und den 
zweiten verschlOsselten Wert unter dem ent- 
schlOsselten, geheimen TransportschlOssel fOr 
die bestimmte Benutzerstelle zu verschlOsseln. 

19. Eine Methode wie in Anspruch 17 oder 18 
auBerdem enthaltend in einer bestimmten Be- 
nutzerstelle als Reaktion auf die Forderung ei- 
ner GeheimObertragungsoperation, die die An- 
wendung des von der Erzeugungsstelle er- 
zeugten GeheimObertragungsschlOssel (K) in 
Kombination mit einem Steuerwert (C) fordert; 
mit Zugriff auf den verschlOsselten, geheimen 
Transportschlussel (KR) und den nicht gehei- 
men Wert (PV) und der vorObergehenden 
Speicherung in der ortlichen Verschlussel- 
ungseinrichtung (810) der bestimmten Benut- 
zerstelle des gesendeten, verschlOsselten ge- 
heimen TransportschlOssels (KR) zusammen 
mit dem Steuerwert (C) und der kombinierten 
Funktion h: 

PrOfung des Steuerwerts (C), urn festzulegen, 
ob die geforderte Operation von dem Steuer- 
wert zugelassen wird; 

falls die geforderte Operation zugelassen wird, 
entschlusseln des gespeicherten. verschlOssel- 
ten geheimen TransportschlOssels (KR) unter 
Verwendung einer Variante (KM 1 ) des Haupt- 
schlussels (KM), der den entschlOsselten ge- 
heimen TransportschlOssel (KR) mit dem Steu- 
erwert (C), dem nicht geheimen Wert (PV) und 
der Kombinationsfunktion f 6 kombiniert unter 
Verwendung einer Kombinationsfunktion gs zur 
Wiederherstellung des erzeugten Geheimuber- 
tragungsschlOssels (K) und Aktivieren der ge- 
forderten GeheimGbertragungsfunktion; andern- 
falls 

Abbruch der geforderten GeheimObertragungs- 
funktion und Loschen der vorObergehend ge- 
speicherten Werte. 

20. Eine Methode wie in Anspruch 18, wobei die 
Kombinationsfunktion gs eine umgekehrte 
Funktion der Funktion von f6 ist. 

Revendications 

1. Proc^dd pour la commande de I'utilisation de- 
formations transmises discretement dans un 
rSseau de stations dans lequel chaque station 
potentiellement coop^rante comprend une ins- 
tallation cryptographique (110) qui conserve de 
manidre sOre une c\6 maltresse (KM) et dans 
lequel, pour chaque transmission entre une 
paire de stations, un rgsultat de cl6 cryptogra- 
phique est fourni pour chaque station de la 
paire par une station £mettrice qui est Tune ou 
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I'autre de la paire ou une station ext£rieure h 
la paire, sous les ordres d'un protocols crypto- 
graphique commun au r6seau, les r^sultats de 
c\6s cryptographiques pour la transmission 
ayant une composante al^atoire th^oriquement 5 
particuliere & la transmission, une composante 
de variante de la cH martresse particuliere soit 
aux stations individuetlement soit en tant que 
paire, caract6ris6 en ce que, en r^ponse k une 
instruction demission (170) appel^e dans la io 
station €mettrice pour ^tablir une transmission 
discrete h utilisation controlSe entre une paire 
designee de stations, la station 6mettrice #met 
le r£su!tat de c\6 cryptographique pour chaque 
station designee, accede k la valeur de com- 75 
mande (C) commune au systeme pour I'opera- 
tion autorisee pour chacune des stations pour 
la transmission particuliere. combine la valeur 
de commande (C) avec le r£sultat de c\6 com- 
mun, ou chaque resultat de c\6 individuel, et 20 
entraune l'4tablissement du resultat de c\6 
combing approprig dans chaque station de la 
paire pour fa transmission, et dans lequel r ins- 
tallation cryptographique (110) dans chaque 
station est agencde, lorsqu'une instruction de 25 
fonctionnement est appel^e, pour effectuer une 
operation ddsign^e concemant une telle infor- 
mation transmise discr&tement, afin d'interrom- 
pre automatiquement une telle operation a 
moins qu'elle ne corresponde h la valeur de 30 
commande. 

2. Proc6d§ selon la revendication 1. dans lequel 
soit chaque station a & la fois une fonction 
demission de cl6 (KGF) et une fonction d'utili- 35 
sation de cl€ (KUF), le resultat de c\6 combine 
£tant £mis par la fonction demission de c\6 de 
Tune d'une paire de stations et transmis h sa 
propre fonction d'utilisation de c\6 et S la fonc- 
tion d'utilisation de cle de I'autre station ; soit 40 
une station serveuse pour le reseau a une 
fonction d'emission de cle pour le r€seau, les 
stations utilisatrices restantes ayant des fonc- 
tions d'utilisation de c\6 et le resultat de cle 
combing est produit dans la station serveuse 45 
et est transmis & la fonction d'utilisation de cle 
d'une paire designee de stations. 

3. Proc£d6 selon la revendication 2, dans lequel 
chaque station conserve une banque de don- 50 
n6es (100) comprenant une plurality de c\6s de 
transport secrfetes chiffr^es uniques h chaque 
station utilisatrice et index^es par des identifi- 
cations des stations utilisatrices, les cl£s de 
transport secretes chiffr^es £tant chiffr£es 55 
sous les ordres d'une variante de la cl6 maT- 
tresse ; 

la station serveuse d'une telle station quel- 



conque produisant, en rgponse & une instruc- 
tion demission, une c\6 ateatoire (K) dans son 
installation cryptographique (110) en tant que 
c!£ cryptographique ; 

accSdant aux cl§s de transport secretes 
chiffr^es (KR) pour les stations utilisatrices 
d£sign€es en utilisant ('identification pour les 
stations utilisatrices ; 

d^chiffrant dans I'installation cryptographi- 
que de la station 6mettrice les cl§s de trans- 
port secretes consults (KR) pour les stations 
utilisatrices d€sign€es en utilisant la variante 
de la c\6 mattresse ; 

combinant dans I'installation cryptographi- 
que de la station dmettrice les cl§s de trans- 
port secretes d£chiffr6es (KR) avec la c\6 cryp- 
tographique produite (K) pour donner une fonc- 
tion combinee fi pour chaque station utilisatri- 
ce d§sign£e ; 

lisant la valeur de commande (C) pour 
l'op€ration autorisee pour chaque station utili- 
satrice d£sign6e ; 

combinant la ci6 cryptographique produite 
(K) avec la valeur de commande (C) pour 
chaque station utilisatrice designee pour pro- 
duire une fonction combinee f2 ; et 

transmettant les fonctions combines ft et 
h pour chaque station utilisatrice designee et 
la valeur de commande h la station utilisatrice 
designee correspondante. 

4. Proc6dd selon la revendication 3. dans lequel 
I'opdration de combinaison pour produire la 
fonction combinee fi est effectu^e en chiffrant 
la c\6 cryptographique produite (K) sous les 
ordres des c\6s de transport secretes d£chif- 
frdes (KR) pour chaque station utilisatrice desi- 
gnee, et dans lequel ('operation de combinai- 
son pour produire la fonction combinee h est 
effectu£e en chiffrant d'abord les valeurs de 
commande (C) pour chaque station utilisatrice 
d4sign£e sous les ordres de la c\6 cryptogra- 
phique produite (K) et ensuite en soumettant h 
une fonction OU-EXCLUSIF les valeurs de 
commande ainsi chiffrees avec les valeurs de 
commande pour chaque station utilisatrice 
designee. 

5. Proc6d6 selon la revendication 3 ou la revendi- 
cation 4, comprenant, au niveau d'une station 
utilisatrice designee en r^ponse h la demande 
d'une operation cryptographique nScessitant 
I'utilisation de la c!6 cryptographique produite 
par la station £mettrice en combinaison avec 
une valeur de commande ; 

I'acc&s k la cl£ de transport secrete chif- 
fr£e et la memorisation temporaire, dans I'ins- 
tallation cryptographique locale (310), de cette 
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cie de transport secrete chiffrge ainsi que de ta 
vaJeur de commands (C) et des fonctions com- 
biners fi et f2, 

la verification, dans 1'installation cryptogra- 
phique locale, de la valeur de commande pour 5 
determiner si I'operation demandee est autori- 
s€e par cette valeur de commande ; 

si I'operation demandee est autoris^e, le 
d^chiffrement de ta cie de transport secrete 
chiffrde en utilisant une variante de ladite cle* 70 
maftresse, la combinaison de la cie de trans- 
port secrete d6chiffn§e (KR) avec la fonction 
combinee fi en utilisant une fonction de com- 
binaison gi pour r^cupeVer la cie cryptographi- 
que produite (K), la combinaison de la cle' 75 
cryptograph ique n§cupe7ee (K) avec la valeur 
de commande (C) pour produire une fonction 
d'authentification f 2 , la comparaison de la fonc- 
tion combined k temporairement memorisee 
et, si la fonction combined \z memorisee et la 20 
fonction d'authentification f2 sont egales, I'au- 
torisation de I'operation cryptographique de- 
mandee ; sinon, 

Tinterruption de I'operation cryptographi- 
que demandee et I'effacement des valeurs 2s 
temporairement memorisees dans Installation 
cryptographique de la station utilisatrice. 

6. Procede selon la revendication 5, dans lequel 

la fonction de combinaison gi est une fonction 30 
inverse de la fonction fi . 

7. Procede selon la revendication 2, dans lequel 
chaque station conserve, dans une premiere 
banque de donn^es (200), une pluralite de cles 35 
de transport secretes chiffrees uniques h cha- 
que paire de stations utilisatrices dans le r£- 
seau et indexes par des identifications de 
paires de stations utilisatrices partageant une 

cie de transport secrete (KR), les cies de ao 
transport secretes chiffrees etant chiffrees 
sous les ordres d'une variante (KM 1 ) de la cle 
maltresse (KM) et, dans une seconde banque 
de donnees (205), une pluralite de valeurs non 
secretes (PV) uniques a chaque station utilisa- 45 
trice dans le r6seau et indexees par des identi- 
fications de telles stations utilisatrices ; 

la station serveuse ou chaque telle station 
produisant, en reponse h une instruction 
demission, un nombre aieatoire (RN) dans son 50 
installation cryptographique ; 

accedant aux cies de transport secretes 
chiffrees partagees par des stations utilisatri- 
ces designees en utilisant les identifications 
pour les paires de stations utilisatrices parta- 55 
geant les cies de transport secretes chiffrees ; 

accedant aux valeurs non secretes pour 
les stations utilisatrices designees en utilisant 



les identifications pour les stations utilisatrices 
designees ; 

dechiffrant les cies de transport secretes 
consumes en utilisant la variante de la cie 
maitresse ; 

combinant le nombre aieatoire produit 
avec les cies de transport secretes dechrffrees 
pour produire une fonction combined f 3 pour 
chacune des stations utilisatrices designees ; 

combinant la cie de transport secrete de- 
chiffree avec ladite fonction combinee fa pour 
produire la cie cryptographique ; 

lisant la valeur de commande pour I'opera- 
tion autorisee pour chaque station utilisatrice 
designee ; 

pour chaque station utilisatrice designee, 
combinant la cie cryptographique produite 
avec la valeur de commande et la valeur non 
secrete pour la station utilisatrice designee 
pour produire une fonction combinee f* pour la 
station utilisatrice designee ; et 

transmettant la fonction combinee f3 et f* 
pour chaque station utilisatrice designee et la 
valeur de commande k la station utilisatrice 
designee correspondante. 

8. Procede selon la revendication 7, dans lequel 
la combinaison pour produire la fonction com- 
binee fa est effectuee en chiffrant le nombre 
aieatoire (RN) sous les ordres de la cie de 
transport secrete dechiffree pour chaque sta- 
tion utilisatrice designee. 

9. Precede selon la revendication 7 ou la revendi- 
cation 8, dans lequel la combinaison pour pro- 
duire la fonction combinee f4 est effectuee en 
chiffrant d'abord les valeurs de commande (C) 
sous les ordres de la cie cryptographique pro- 
duite (K) et ensuite en soumettant h une fonc- 
tion OU-EXCLUSIF les valeurs de commande 
ainsi chiffrees avec les valeurs non secretes 
pour chaque station utilisatrice designee. 

10. Precede selon Tune quelconque des revendi- 
cations 7 & 9, comprenant en outre, au niveau 
d'une station utilisatrice designee, en reponse 
h la demande d'une operation cryptographique 
necessitant I'utilisation de la cie cryptographi- 
que produite par la station emettrice en combi- 
naison avec une valeur v de commande ; 

I'acces & la cie de transport secrete chif- 
fr6e (KR) et la memorisation temporaire dans 
Installation cryptographique locale (410) de la 
cie de transport secrete chiffree ainsi que de la 
valeur de commande (C) et des fonctions com- 
binees f3 et f4 transmises k partir de la station 
emettrice ; 

la verification de la valeur de commande 
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pour determiner si I'operation demandee est 
autorisee par une telle valeur de commande ; 

si I'operation demandee est autorisee, le 
dechiffrement de la cie de transport secrfete 
chiffree en utilisant une variante (KM 1 ) de la 5 
cie maftresse (KM), la combinaison de la cle 
de transport secrete dechiffree avec la fonction 
combinee f3 en utilisant une fonction de com- 
binaison ga pour recuperer la cie cryptographi- 
que produite, la combinaison de la cie crypto- w 
graphique (K) recuperee avec la valeur de 
commande (C) et la valeur non secrete pour la 
station utilisatrice designee pour produire une 
fonction d'authentification U, la comparaison 
de la fonction combinee U temporairement is 
m6moris£e avec la fonction d'authentification 
U et, si une telle fonction combinee memori- 
s6e U et une telle fonction d'authentification f4 
sont egales, I'autorisation de ('operation crypto- 
graphique demandee ; sinon, 20 

Interruption de 1'operation cryptographi- 
que demandee et Teffacement des valeurs 
temporairement m^moris^es. 

11. Procede selon la revendication 10, dans lequel 25 
la combinaison pour produire la fonction com- 
binee f3 est effectu^e en rendant la fonction 
combinee f3 egale au nombre aieatoire (RN) et 
dans lequel la fonction de combinaison g3 im- 
plique le chiffrement du nombre aieatoire (RN) 30 
sous les ordres de la cie de transport secrete 
dechiffree (KR) et ensuite la soumission h une 
fonction OU-EXCLUSIF du nombre aieatoire 
chiffne avec le nombre aieatoire. 

35 

12. Procede selon la revendication 10, dans lequel 
la fonction de combinaison g3 est une fonction 
inverse de la fonction f3. 

13. Procede selon la revendication 2, dans lequel 40 
chaque station conserve une banque de don- 
ndes (500) comprenant une plurality de cl£s de 
transport secretes chiffrdes (KR) uniques k 
chacune des stations utilisatrices et index^es 

par des identifications des stations utilisatrices, 45 
les cl£s de transport secretes chiffrees (KR) 
etant chiffrees sous les ordres d'une variante 
(KM 1 ) de la cie mattresse (KM) ; 

la station serveuse de chaque telle station 
produisant, en reponse a une instruction so 
demission, un nombre aleatoire dans son ins- 
tallation cryptographique en tant que cie cryp- 
tographique (K) ; 

acc£dant aux c\6s de transport secretes 
chiffrges pour les stations utilisatrices d£si- 55 
gn£es en utilisant I'identification pour de telles 
stations utilisatrices ; 

d^chiffrant les cies de transport secretes 



consumes pour les stations utilisatrices desi- 
gnees en utilisant la variante (KM 1 ) de la cie 
maftresse (KM) ; 

lisant la valeur de commande (C) pour 
I'operation autorisee pour chaque station utili- 
satrice designee ; 

combinant les cies de transport secretes 
dechiffr6es (KR) avec la cie cryptographique 
produite (K) et les valeurs de commande (C) 
pour chaque station utilisatrice designee pour 
produire une fonction combinee fs pour cha- 
que station utilisatrice designee ; et 

transmettant la fonction combinee fs pour 
chaque station utilisatrice designee et la valeur 
de commande (C) h la station utilisatrice desi- 
gnee correspondante. 

14. Procede selon la revendication 13. dans lequel 
('operation de combinaison pour produire la 
fonction combinee fs pour chaque station utili- 
satrice designee est effectuee en chiffrant la 
cie cryptographique produite (K) sous les or- 
dres de la valeur de commande (C) pour la 
station utilisatrice designee correspondante 
pour produire une premiere valeur chiffree et 
ensuite en chiffrant une telle premiere valeur 
chiffree sous les ordres de la cie de transport 
secrete dechiffree pour la station utilisatrice 
correspondante. 

15. Procede selon la revendication 13 ou la reven- 
dication 14, comprenant en outre, au niveau 
d'une station utilisatrice designee, en reponse 
h la demande d'une operation cryptographique 
necessitant ('utilisation de la cie cryptographi- 
que (K) produite par la station emettrice en 
combinaison avec une valeur de commande ; 

Taccfes & la cie de transport secrfete chif- 
free et la memorisation temporaire dans I'ins- 
tallation cryptographique (710) de la station 
utilisatrice designee de la cie de transport se- 
crete chiffree (KR) ainsi que de la valeur de 
commande (C) et de la fonction combinee fs ; 

la verification de la valeur de commande 
(C) pour determiner si I'operation demandee 
est autorisee par ladite valeur de commande ; 

si ('operation demandee est autorisee, le 
dechiffrement de ladite cie de transport secre- 
te chiffree (KR) en utilisant une variante (KM 1 ) 
de la cie maftresse (KM), la combinaison de la 
cie de transport secrete dechiffree avec la 
fonction combinee fs et la valeur de comman- 
de en utilisant une fonction de combinaison gs 
pour recuperer la cie cryptographique produite, 
et rautorisation de I'operation cryptographique 
demandee ; sinon, 

Pinterruption de I'operation cryptographi- 
que demandee et Ceffacement des valeurs 
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temporairement m6mori$6es. 

16. Proc6de selon la revendication 15, dans lequel 
la fonction de combinaison gs est une fonction 
inverse de la fonction fs. 5 

17. Proc6d6 selon la revendication 2, dans lequel 
chaque station conserve, dans une premiere 
banque de donnges (600), une plurality de cl£s 

de transport secretes chiffr^es (KR) uniques h w 
chaque paire de stations utilisatrices dans le 
r^seau et indexees par des identifications de 
paires de stations utilisatrices partageant une 
c\6 de transport secrete, les cies de transport 
secretes chiffr^es etant chiffrSes sous les or- is 
dres d'une variante (KM 1 ) de la cle maTtresse 
(KM), et 

dans une seconde banque de donn§es 
(605), une plurality de valeurs non secretes 
(PV) uniques k chaque station utilisatrice dans 20 
le r^seau et indexees par des identifications 
des stations utilisatrices ; 

la station serveuse ou chaque telle station 
produisant, en reponse & une instruction 
demission, un nombre aieatoire dans son ins- 25 
tallation cryptographique en tant que cle cryp- 
tographique (K) ; 

acc^dant aux cie$ de transport secretes 
chiffr^es (KR) partag^es par des stations utili- 
satrices designees, en utilisant les identifica- 30 
tions pour les paires de stations utilisatrices 
partageant les cies de transport secretes chif- 
fr6es ; 

acc^dant aux valeurs non secretes (PV) 
pour les stations utilisatrices designees, en uti- 35 
lisant les identifications pour de telles stations 
utilisatrices designees ; 

dechiffrant les cies de transport secretes 
consumes en utilisant la variante (KM 1 ) de la 
c\6 maftresse (KM) ; aq 

lisant la valeur de commande (C) pour 
reparation autoris^e pour chaque station utili- 
satrice designee ; 

combinant la cle cryptographique produite 
(K) avec la cle de transport secrete d£chiffr6e 45 
(KR), la valeur de commande (C) et la valeur 
non secrfete (PV) pour chaque station utilisatri- 
ce designee pour produire une fonction combi- 
n6e f6 pour chaque station utilisatrice designee 
; et so 

transmettant la fonction combin^e U pour 
chaque station utilisatrice designee et la valeur 
de commande (C) a la station utilisatrice desi- 
gnee correspondante. 

55 

18. Proc6d6 selon la revendication 17, dans lequel 
I'operation de combinaison pour produire la 
fonction combir»6e fs est effective en chiffrant 



la cie cryptographique (K) sous les ordres de 
la valeur de commande (C) pour la station 
utilisatrice designee pour produire une premie- 
re valeur chiffr^e, en chiffrant la premifere va- 
leur chiffrge sous les ordres de la valeur non 
secrete (PV) pour la station utilisatrice desi- 
gnee pour produire une seconde valeur chif- 
fr6e, et en chiffrant la seconde valeur chiffree 
sous les ordres de la cie de transport secrete 
ddchiffr^e pour la station utilisatrice designee. 

19. Proc6d6 selon la revendication 17 ou la reven- 
dication 18, comprenant en outre au niveau 
d'une station utilisatrice designee, en reponse 
a la demande d'une operation cryptographique 
n£cessitant I'utilisation de la cle cryptographi- 
que (K) produite par la station emettrice en 
combinaison avec une valeur de commande 
(C); 

I'accds & la cie de transport secrfete chif- 
free (KR) et la valeur non secrete (PV) et la 
memorisation temporaire dans Installation 
cryptographique (810) de la station utilisatrice 
designee de la cie de transport secrete chiffree 
transmise (KR) ainsi que de la valeur de com- 
mande (C) et de la fonction combin^e fs ; 

la verification de la valeur de commande 
(C) pour determiner si rotation demandee 
est autoris£e par cette valeur de commande ; 

si Poperation demandee est autoris£e, le 
dechiffrement de la cle de transport secrete 
chiffree memorisee (KR) en utilisant une va- 
riante (KM 1 ) de la cie maltresse (KM), la com- 
binaison de la cie de transport secrete dechif- 
fr^e (KR) avec la valeur de commande (C), la 
valeur non secrete (PV) et la fonction combi- 
ne k en utilisant une fonction de combinaison 
ge pour r6cup6rer la cie cryptographique pro- 
duite (K), et Tautorisation de I'operation crypto- 
graphique demandee ; sinon, 

I'interruption de I'operation cryptographi- 
que demandee et I'effacement des valeurs 
temporairement memorisees. 

20. Procede selon la revendication 18, dans lequel 
la fonction de combinaison Qs est une fonction 
inverse de la fonction f&. 
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